GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-05 17:24:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD15EARS-00MVWB0 rev.51.0AB51 1397,27GB Running: 03d3q9m8.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\pgddapoc.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000774a6ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000774a8184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SetParent 00000000774a8530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!PostMessageA 00000000774aa404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!EnableWindow 00000000774aaaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!MoveWindow 00000000774aaad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000774ac720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000774acd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000774ad2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendMessageA 00000000774ad338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000774adc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000774af510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000774af874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000774afac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000774b0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000774b4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!GetKeyState 00000000774b5010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000774b5438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendMessageW 00000000774b6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!PostMessageW 00000000774b76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000774bdd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!GetClipboardData 00000000774be874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000774bf780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774c28e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!mouse_event 00000000774c3894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774c8a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000774c8be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000774c8c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendInput 00000000774c8cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!BlockInput 00000000774cad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774f14e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!keybd_event 00000000775145a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007751cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007751df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\wininit.exe[596] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff5a6bd0 5 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000774a6ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000774a8184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SetParent 00000000774a8530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!PostMessageA 00000000774aa404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!EnableWindow 00000000774aaaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!MoveWindow 00000000774aaad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000774ac720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000774acd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000774ad2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendMessageA 00000000774ad338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000774adc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000774af510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000774af874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000774afac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000774b0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000774b4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!GetKeyState 00000000774b5010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000774b5438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendMessageW 00000000774b6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!PostMessageW 00000000774b76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000774bdd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!GetClipboardData 00000000774be874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000774bf780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774c28e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!mouse_event 00000000774c3894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774c8a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000774c8be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000774c8c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendInput 00000000774c8cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!BlockInput 00000000774cad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774f14e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!keybd_event 00000000775145a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007751cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007751df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd40228 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40378 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff5a6bd0 5 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40378 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff5a6bd0 5 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40378 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[272] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\atiesrxx.exe[492] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\svchost.exe[652] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff5a6bd0 5 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40378 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff5a6bd0 5 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40378 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1652] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1672] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1768] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Program Files\Bonjour\mDNSResponder.exe[1964] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe[1988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077ac1401 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077ac1419 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077ac1431 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077ac144a 2 bytes [AC, 77] .text ... * 9 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077ac14dd 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077ac14f5 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077ac150d 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077ac1525 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077ac153d 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077ac1555 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077ac156d 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077ac1585 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077ac159d 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077ac15b5 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077ac15cd 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077ac16b2 2 bytes [AC, 77] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077ac16bd 2 bytes [AC, 77] .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\svchost.exe[1392] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077399b80 13 bytes {MOV R11, 0x140001e20; JMP R11} .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Program Files\OO Software\Defrag\oodag.exe[940] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\svchost.exe[2204] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8da1a0 7 bytes JMP 000007fffdd40180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\System32\alg.exe[2900] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3028] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\Dwm.exe[2156] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[3076] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\svchost.exe[3220] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\Explorer.EXE[3356] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd403b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40378 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\System32\rundll32.exe[3872] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40308 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40340 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd403b0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[4004] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40378 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40308 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd40340 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd403b0 .text C:\Program Files\OO Software\Defrag\oodtray.exe[3168] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40378 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3160] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\XFastUsb\XFastUsb.exe[3496] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe[3260] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe[3836] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe[3984] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\SearchIndexer.exe[3572] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4920] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4920] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4920] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007738a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000773a1b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\KERNEL32.dll!CreateProcessA 0000000077418810 7 bytes JMP 000000016fff0180 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3600] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text D:\CyberLink\PowerDVD12\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe[2688] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077961400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077961640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077961720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077961842 6 bytes {JMP 0xfffffffff868f190} .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077961860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077961a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077961c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077961d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077962190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde35290 7 bytes JMP 000007fffdd40148 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff6e22cc 5 bytes JMP 000007fffdd40260 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!BitBlt 000007feff6e24c0 5 bytes JMP 000007fffdd40298 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff6e5be0 5 bytes JMP 000007fffdd402d0 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff6e8398 9 bytes JMP 000007fffdd401f0 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff6e89c8 9 bytes JMP 000007fffdd401b8 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!GetPixel 000007feff6e9344 5 bytes JMP 000007fffdd40228 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff6eb9e8 5 bytes JMP 000007fffdd40340 .text C:\Windows\system32\taskeng.exe[3088] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff6f5410 5 bytes JMP 000007fffdd40308 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077b0f9c0 5 bytes JMP 000000011001d120 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 000000011002fc20 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd44 5 bytes JMP 000000011002e100 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077b0fda8 5 bytes JMP 000000011002ed90 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077b0fea0 5 bytes JMP 000000011002c3c0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077b0ff84 5 bytes JMP 000000011002e7a0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077b0ffe4 2 bytes JMP 0000000110030080 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077b0ffe7 2 bytes [52, 98] .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b10064 5 bytes JMP 000000011002fe40 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b10094 5 bytes JMP 000000011002e400 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b10398 5 bytes JMP 000000011002cde0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b10530 5 bytes JMP 000000011002b670 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b10674 5 bytes JMP 000000011002f8b0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b1086c 5 bytes JMP 000000011002bfe0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b10884 5 bytes JMP 000000011002ca40 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b10dd4 5 bytes JMP 000000011002f6a0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b10eb8 5 bytes JMP 000000011002f220 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b11bc4 5 bytes JMP 000000011002f460 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b11c94 5 bytes JMP 000000011002c670 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b11d6c 5 bytes JMP 000000011002f020 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 0000000110027f40 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 7 bytes JMP 000000011001d240 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753c103d 5 bytes JMP 0000000110025070 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753c1072 5 bytes JMP 0000000110025c00 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753ec9b5 5 bytes JMP 0000000110023ba0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007672f776 5 bytes JMP 000000011001d270 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076538bff 5 bytes JMP 000000011001b6e0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765390d3 7 bytes JMP 000000011001c470 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076539679 5 bytes JMP 000000011001b1a0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765397d2 5 bytes JMP 000000011001ac20 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007653ee09 5 bytes JMP 000000011001c160 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007653efc9 5 bytes JMP 0000000110018140 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765412a5 5 bytes JMP 000000011001bc20 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007654291f 5 bytes JMP 00000001100193d0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SetParent 0000000076542d64 5 bytes JMP 0000000110018980 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076542da4 5 bytes JMP 0000000110017ea0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076543698 5 bytes JMP 0000000110018c20 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076543baa 5 bytes JMP 000000011001bec0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076543c61 5 bytes JMP 000000011001b980 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007654612e 5 bytes JMP 000000011001b440 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076546c30 7 bytes JMP 000000011001c690 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076547603 5 bytes JMP 000000011001c8b0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076547668 5 bytes JMP 000000011001a160 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765476e0 5 bytes JMP 000000011001a6a0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007654781f 5 bytes JMP 000000011001aee0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007654835c 5 bytes JMP 000000011001cb20 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007654c4b6 5 bytes JMP 0000000110018780 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007655c112 5 bytes JMP 0000000110019eb0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007655d0f5 5 bytes JMP 0000000110019c00 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007655eb96 5 bytes JMP 0000000110019120 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007655ec68 5 bytes JMP 0000000110019680 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendInput 000000007655ff4a 5 bytes JMP 0000000110019930 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076579f1d 5 bytes JMP 0000000110018370 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076581497 5 bytes JMP 0000000110017c90 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!mouse_event 000000007659027b 5 bytes JMP 00000001100297c0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765902bf 5 bytes JMP 00000001100299d0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076596cfc 5 bytes JMP 000000011001a960 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076596d5d 5 bytes JMP 000000011001a400 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076597dd7 5 bytes JMP 0000000110018580 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765988eb 5 bytes JMP 0000000110018f00 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764058b3 5 bytes JMP 0000000110028d10 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076405ea6 5 bytes JMP 0000000110029530 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076407bcc 5 bytes JMP 0000000110029e10 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007640b895 5 bytes JMP 0000000110028d50 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007640c332 5 bytes JMP 0000000110029280 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007640cbfb 5 bytes JMP 0000000110028ae0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007640e743 5 bytes JMP 0000000110029d10 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076434646 5 bytes JMP 0000000110028ff0 .text D:\Downloads\Programy\03d3q9m8.exe[4168] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764c2538 5 bytes JMP 00000001100244d0 ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8f62750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8f62b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8f67de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8f68130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef8f61908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8f61c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8f681d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8f62878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8f67a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef8f66c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef8f677bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8f67064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8f66544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8f65e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4920:5068] 000007fefbd42a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4920:4804] 000007fef9eb5124 ---- Files - GMER 2.0 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\73F50967-5B94-43FF-9F91-844F82C61F24.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\01149A99-20E4-4E3A-8757-1403E9C1AD4C.data 169324 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\01149A99-20E4-4E3A-8757-1403E9C1AD4C.data.info 224 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\021C66B4-A8C1-45BC-91D8-7B9647B724F8.data 158720 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\021C66B4-A8C1-45BC-91D8-7B9647B724F8.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\028703C7-81A6-4312-A018-488F200B65B6.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\028703C7-81A6-4312-A018-488F200B65B6.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\03DFDB8A-0892-4E65-94EF-91C4F3AA817B.data 45056 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\03DFDB8A-0892-4E65-94EF-91C4F3AA817B.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\743072C7-4F92-4BF7-9EC0-9AAB396959CC.data 1226316 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\743072C7-4F92-4BF7-9EC0-9AAB396959CC.data.info 332 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\746ABA5B-1F87-43D4-8CD1-0396B93524A0.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\746ABA5B-1F87-43D4-8CD1-0396B93524A0.data.info 242 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7529D757-4BD0-4E00-867D-DB00201BCB8A.data 2961408 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7529D757-4BD0-4E00-867D-DB00201BCB8A.data.info 154 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\77D785CF-457E-4038-A483-92E594D2E767.data 1367552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\77D785CF-457E-4038-A483-92E594D2E767.data.info 246 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AE29F0E9-093E-4F17-8A03-166B54D096E9.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AE29F0E9-093E-4F17-8A03-166B54D096E9.data.info 162 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AF7F9A30-B5F4-47FD-AAAB-EA00B8763DE1.data 21082112 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AF7F9A30-B5F4-47FD-AAAB-EA00B8763DE1.data.info 126 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B0928186-BA8B-49CC-9657-AD3EB72EB0B2.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B0928186-BA8B-49CC-9657-AD3EB72EB0B2.data.info 116 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B09B0DC4-F4DF-42BE-B6E0-5957F0BD4A7C.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B09B0DC4-F4DF-42BE-B6E0-5957F0BD4A7C.data.info 136 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2FD5D412-00EC-42B5-9E5D-6797F02CF819.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\340882A8-48AD-49F9-B5D7-93018CF1D920.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\340882A8-48AD-49F9-B5D7-93018CF1D920.data.info 270 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\34808A43-98F3-455F-9604-DDE941DC056F.data 6452 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\34808A43-98F3-455F-9604-DDE941DC056F.data.info 216 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\36B067A4-C160-45F5-9182-1BB052A39664.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\36B067A4-C160-45F5-9182-1BB052A39664.data.info 144 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\385F927D-F7F8-43FC-9CDD-41F61E37D5E5.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\385F927D-F7F8-43FC-9CDD-41F61E37D5E5.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\04E46C10-D7B8-413F-85FF-87E1ADC2651E.data 62335 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0775C54B-1015-4BBC-A547-0A1234153CB2.data.info 124 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0E82A66A-13CE-4163-9313-22F4B5674503.data 25015296 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1A4B6C1A-A26C-457A-8323-D4CD5CE4C9AA.data.info 204 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\26963D04-3B1B-40E5-A181-5E36DF8AAB73.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2C0C9A3B-C095-4F4E-872A-F577F2982165.data 3717080 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2FD5D412-00EC-42B5-9E5D-6797F02CF819.data 147456 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4292DE94-9964-4BC6-A45C-2A9E51BF4A6F.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\46E9515B-3A0E-4923-A8BD-8D3A04BD43B1.data.info 170 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4C72BDB2-E630-40B0-B0D0-0B0774801AE7.data 4108956 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5B90AB78-2440-4651-A825-5FA79A461642.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5FA9FA0D-C578-4D8D-A872-7C4CEE19D308.data 1561280 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6B1F8CC4-5AF7-41A8-BF3D-613C0E347799.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0BD891F8-4CD3-4E18-9025-4999D00B53CB.data 222207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0BD891F8-4CD3-4E18-9025-4999D00B53CB.data.info 106 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0C183832-F3FD-4129-8AE4-6382EEBA82B1.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0C183832-F3FD-4129-8AE4-6382EEBA82B1.data.info 164 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0E06BF18-AB0D-448B-829A-93B4F8C96FA1.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0E06BF18-AB0D-448B-829A-93B4F8C96FA1.data.info 204 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C5E6621C-AE4F-4656-A1F7-17DBB6207325.data 222207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C5E6621C-AE4F-4656-A1F7-17DBB6207325.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C8553C44-3BB5-46FC-9DC0-D6FC1C990C51.data 116017 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C8553C44-3BB5-46FC-9DC0-D6FC1C990C51.data.info 76 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C95E4584-3F9D-45DC-A21F-8D2541279B35.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C95E4584-3F9D-45DC-A21F-8D2541279B35.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CA9C153C-6CFF-42DC-A103-4A435C5E79C8.data 1368576 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CA9C153C-6CFF-42DC-A103-4A435C5E79C8.data.info 260 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CB937132-8CC5-4826-8C91-F2E92E03AC2F.data 389953 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5474CD98-ABD8-4641-82BB-0EF6D3A21AAF.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5474CD98-ABD8-4641-82BB-0EF6D3A21AAF.data.info 140 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\54AF7078-E375-46AF-BC40-0B15E845CD16.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\54AF7078-E375-46AF-BC40-0B15E845CD16.data.info 200 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\55AC2780-A3CF-4A91-AC73-E4C478EBDD39.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\55AC2780-A3CF-4A91-AC73-E4C478EBDD39.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5A52B633-0301-40C1-B0F3-B232A9B32631.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5A52B633-0301-40C1-B0F3-B232A9B32631.data.info 234 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5B90AB78-2440-4651-A825-5FA79A461642.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\966F210A-7EE9-4D1C-BC74-C336BE2E0208.data.info 124 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\97B8D183-7F85-4E1B-A544-DC9716F747D3.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\97B8D183-7F85-4E1B-A544-DC9716F747D3.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9A1BC526-A69F-4FF6-9683-E3CF9492F3C6.data 554768 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9A1BC526-A69F-4FF6-9683-E3CF9492F3C6.data.info 202 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9AB99BE6-FB58-4CF7-9193-E93A0F5D83B0.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9AB99BE6-FB58-4CF7-9193-E93A0F5D83B0.data.info 256 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9CA33497-0F17-48F5-92D2-2ACB28FAC7B5.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9CA33497-0F17-48F5-92D2-2ACB28FAC7B5.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9D0E1B13-8DC7-48AB-AC91-6024AC69DE3A.data 147456 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9D0E1B13-8DC7-48AB-AC91-6024AC69DE3A.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\12E4476F-8448-4D92-9EF6-932B06FF1AF0.data 145408 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\12E4476F-8448-4D92-9EF6-932B06FF1AF0.data.info 316 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\14CA038C-225A-4BBF-8964-3434752C336F.data 467777 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\14CA038C-225A-4BBF-8964-3434752C336F.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1656062C-1275-45D2-A303-2A574AB10842.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1656062C-1275-45D2-A303-2A574AB10842.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\17EA3385-DDD9-49D4-9D5E-21B4A4D254E6.data 467777 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\17EA3385-DDD9-49D4-9D5E-21B4A4D254E6.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\18F1E219-0804-4546-B57B-B80CB81F8AFA.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\18F1E219-0804-4546-B57B-B80CB81F8AFA.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1A4B6C1A-A26C-457A-8323-D4CD5CE4C9AA.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9FBD07E4-47C4-415B-B610-F41FF51DD82C.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9FBD07E4-47C4-415B-B610-F41FF51DD82C.data.info 204 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A00E6055-7B1C-44AA-A3A5-A2175EB6CBE8.data 147456 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A00E6055-7B1C-44AA-A3A5-A2175EB6CBE8.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A2585AD8-2D18-497E-9CF1-98AE4E9E20A3.data 222207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A2585AD8-2D18-497E-9CF1-98AE4E9E20A3.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A7516C66-D7AE-4BF2-9800-D4767EF08D12.data 2626512 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A7516C66-D7AE-4BF2-9800-D4767EF08D12.data.info 300 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6B1F8CC4-5AF7-41A8-BF3D-613C0E347799.data.info 148 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6BCCA64C-8A4A-41BB-A431-0B1CD736CAE0.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6BCCA64C-8A4A-41BB-A431-0B1CD736CAE0.data.info 152 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6CDAFE23-76BF-451B-A8FA-36E0C580F2DF.data 25015296 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6CDAFE23-76BF-451B-A8FA-36E0C580F2DF.data.info 130 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6CE7F82F-564D-4134-888E-6A00E674949C.data 147456 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6CE7F82F-564D-4134-888E-6A00E674949C.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6D399A70-8E66-4D7E-9EBF-AE03EB0FA223.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6D399A70-8E66-4D7E-9EBF-AE03EB0FA223.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6DF86359-4B12-4182-8AD7-59B4E14AB298.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6DF86359-4B12-4182-8AD7-59B4E14AB298.data.info 188 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\72387567-A7A6-4CFB-8D73-70E50E89BAB5.data 467777 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\72387567-A7A6-4CFB-8D73-70E50E89BAB5.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\73F50967-5B94-43FF-9F91-844F82C61F24.data 172543 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\48CC2CE6-5FFE-4F67-A749-06952BA28F46.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\48CC2CE6-5FFE-4F67-A749-06952BA28F46.data.info 208 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\49119D3A-ACA0-40F6-ABD3-BA6E65910B2D.data 9375889 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\49119D3A-ACA0-40F6-ABD3-BA6E65910B2D.data.info 176 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4AE39697-C5B6-4A99-AC80-2C4250C7246C.data 45056 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4AE39697-C5B6-4A99-AC80-2C4250C7246C.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E2D95659-C9E9-4CBA-846A-1D0E303C3AA4.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E2D95659-C9E9-4CBA-846A-1D0E303C3AA4.data.info 256 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E3188474-801C-452C-93D0-F55754CF8476.data 342016 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E3188474-801C-452C-93D0-F55754CF8476.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E540F86E-87F7-4D9E-839A-EDF1FCB7E3E1.data 151552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E540F86E-87F7-4D9E-839A-EDF1FCB7E3E1.data.info 174 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EB2211BE-6002-440D-A8ED-2748DA31EB62.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EB2211BE-6002-440D-A8ED-2748DA31EB62.data.info 242 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EE478E75-D8B0-43B5-9EFB-F199493DD981.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EE478E75-D8B0-43B5-9EFB-F199493DD981.data.info 230 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BB67E829-3B00-44AB-BE71-5610856D1E29.data 1367552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BB67E829-3B00-44AB-BE71-5610856D1E29.data.info 252 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BC45D9DD-9DEC-46EF-A0EF-9D148C6A5601.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BC45D9DD-9DEC-46EF-A0EF-9D148C6A5601.data.info 130 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BD26AD1C-3D8F-4BB1-97E6-85DCC7F9F34D.data 1111832 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BD26AD1C-3D8F-4BB1-97E6-85DCC7F9F34D.data.info 202 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BD27F3C5-C678-475C-A729-EB1D619059BE.data 21082112 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BD27F3C5-C678-475C-A729-EB1D619059BE.data.info 170 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BDC0BC55-A55B-4DDB-8C94-98A5EFA5614F.data 45056 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BDC0BC55-A55B-4DDB-8C94-98A5EFA5614F.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C032F643-1A72-4319-A7C3-C569513A76A6.data 24057 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C032F643-1A72-4319-A7C3-C569513A76A6.data.info 210 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C13678E6-D1F3-40D4-B7BB-D3229493E6C0.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7FEA0C10-BA27-4433-88A4-0AE05FA5DB31.data.info 128 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8769B397-A631-44F4-B1AE-8202C2F92C9C.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8769B397-A631-44F4-B1AE-8202C2F92C9C.data.info 176 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\884867A6-15E2-4B32-9518-22F58CCFFC3E.data 1042432 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\884867A6-15E2-4B32-9518-22F58CCFFC3E.data.info 224 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8B580563-8449-4C4F-A451-41655F1BAC75.data 151552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8B580563-8449-4C4F-A451-41655F1BAC75.data.info 174 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\27377DCC-925C-451F-85BF-FCE80B6B8C17.data 6375424 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\27377DCC-925C-451F-85BF-FCE80B6B8C17.data.info 106 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\290EEBF3-A868-4CB2-BD49-05C1A23103E2.data 222207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\290EEBF3-A868-4CB2-BD49-05C1A23103E2.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B44E8AA-E935-4715-89DB-3534AED39B43.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B44E8AA-E935-4715-89DB-3534AED39B43.data.info 216 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B6228C4-889C-4AA9-AF27-028CFC0D9F4D.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B6228C4-889C-4AA9-AF27-028CFC0D9F4D.data.info 310 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5C9F3610-D8EB-413A-A32C-24EF87C53DEC.data 13729 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5C9F3610-D8EB-413A-A32C-24EF87C53DEC.data.info 220 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5D1DE294-B719-472C-AF8A-38FCF70451DB.data 389953 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5D1DE294-B719-472C-AF8A-38FCF70451DB.data.info 74 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5D7C6D2D-C12A-4D6E-B8C3-C4D2024C6BFF.data 45056 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5D7C6D2D-C12A-4D6E-B8C3-C4D2024C6BFF.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5DDB7277-083D-444C-ACFA-7E5E9C7657D6.data 9674 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5DDB7277-083D-444C-ACFA-7E5E9C7657D6.data.info 216 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D2DBF21D-8BF7-490B-B73D-556154E2C121.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D641B184-8111-4E5E-AEE0-8C5FE5DA2DA8.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D641B184-8111-4E5E-AEE0-8C5FE5DA2DA8.data.info 242 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D85E3311-2655-42F0-BC7D-62B86B482932.data 1111832 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D85E3311-2655-42F0-BC7D-62B86B482932.data.info 196 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\DAEC1D49-BC86-4302-93D0-9C9817520811.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\DAEC1D49-BC86-4302-93D0-9C9817520811.data.info 184 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\DD7456A7-02D9-4B54-B82A-176E18EEE687.data 8759330 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\DD7456A7-02D9-4B54-B82A-176E18EEE687.data.info 146 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E2623540-E067-4F09-8A6B-AF5D9A0C0210.data 222207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E2623540-E067-4F09-8A6B-AF5D9A0C0210.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E278608D-63C5-4D1D-9EEC-31E97266286D.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F2C2E544-9437-415C-93E0-7F2C78846572.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F3C7D9AF-85FA-406A-9BD3-C59A7A58BF91.data 382626 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F3C7D9AF-85FA-406A-9BD3-C59A7A58BF91.data.info 118 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F5ED96E1-9ACE-4F6F-8DD2-4A75EBCB2FE2.data 141824 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F5ED96E1-9ACE-4F6F-8DD2-4A75EBCB2FE2.data.info 162 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FBB8A2DA-84ED-4CCB-A50B-8CD6D4A7B171.data 13729 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FBB8A2DA-84ED-4CCB-A50B-8CD6D4A7B171.data.info 218 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FCA76AF4-B3B7-4540-B161-CCB7B4F11D27.data 3927040 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FCA76AF4-B3B7-4540-B161-CCB7B4F11D27.data.info 252 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FE708BA8-2C3A-49C1-923B-42C480C1D959.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FE708BA8-2C3A-49C1-923B-42C480C1D959.data.info 186 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FEE62045-6FDA-4875-B1E2-763FE28B6E2C.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FEE62045-6FDA-4875-B1E2-763FE28B6E2C.data.info 246 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3B0752BF-FE80-4059-BA7F-CB17933D4D6D.data 467777 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3B0752BF-FE80-4059-BA7F-CB17933D4D6D.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3D17CFB4-2376-4037-B6B2-B6918577A741.data 1069056 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3D17CFB4-2376-4037-B6B2-B6918577A741.data.info 344 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3DAA059E-38AE-4636-AC34-FB29D5C7CCCA.data 73728 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3DAA059E-38AE-4636-AC34-FB29D5C7CCCA.data.info 116 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3DAA7B8D-2311-4511-9182-7F72C55812C7.data 73728 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3DAA7B8D-2311-4511-9182-7F72C55812C7.data.info 116 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3E8EDAB7-2903-4E9A-A349-384782E74F0A.data 4168837 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3E8EDAB7-2903-4E9A-A349-384782E74F0A.data.info 208 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3F2F2FEC-9DD8-49B2-BE8E-1A9AB3BB436B.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3F2F2FEC-9DD8-49B2-BE8E-1A9AB3BB436B.data.info 222 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1BD620DE-79E6-438D-B7C0-AEC952776EB1.data 158720 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1BD620DE-79E6-438D-B7C0-AEC952776EB1.data.info 172 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1E89EAE9-643D-42F1-833A-8BDF9B759A20.data 323072 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1E89EAE9-643D-42F1-833A-8BDF9B759A20.data.info 240 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1F00A398-5CD8-4B94-8D8B-30255DFC353F.data 90624 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1F00A398-5CD8-4B94-8D8B-30255DFC353F.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\21423759-FD6C-46FD-88D3-9EC16DA798DB.data 3834566 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\21423759-FD6C-46FD-88D3-9EC16DA798DB.data.info 314 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\22980FBD-DA4B-48B0-A99D-5A109F3053F0.data 467777 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\22980FBD-DA4B-48B0-A99D-5A109F3053F0.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\257014D7-E79F-45D6-8076-66287985349D.data 172543 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\257014D7-E79F-45D6-8076-66287985349D.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\26963D04-3B1B-40E5-A181-5E36DF8AAB73.data 147456 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2C0C9A3B-C095-4F4E-872A-F577F2982165.data.info 124 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2D7FB95E-8943-4B48-8067-87A3121E53BF.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2D7FB95E-8943-4B48-8067-87A3121E53BF.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2E9D7677-0EF3-4E5B-A548-8611CD8A1BA1.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2E9D7677-0EF3-4E5B-A548-8611CD8A1BA1.data.info 202 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2EE4B864-6C52-49FA-A716-DCDC23F83581.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2EE4B864-6C52-49FA-A716-DCDC23F83581.data.info 276 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A824D5FF-6FAC-4ED8-B700-12C559E5CBF6.data.info 158 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A90D3608-A2F9-426B-80D4-FD360ECF5B2E.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A90D3608-A2F9-426B-80D4-FD360ECF5B2E.data.info 234 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AB0924CE-A661-43FD-8B6F-5795B7755ED8.data 7988037 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AB0924CE-A661-43FD-8B6F-5795B7755ED8.data.info 348 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ABC03E36-BF23-47E1-BF41-E644AF87505F.data 145408 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ABC03E36-BF23-47E1-BF41-E644AF87505F.data.info 316 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AC712B07-B883-48D0-8749-A85BD6488E69.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AC712B07-B883-48D0-8749-A85BD6488E69.data.info 160 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ACB9411F-7815-443F-A8D1-205AA49CDA1A.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ACB9411F-7815-443F-A8D1-205AA49CDA1A.data.info 126 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\65311B82-6FE9-453E-9EAD-67B4A1F3866E.data 1042432 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\65311B82-6FE9-453E-9EAD-67B4A1F3866E.data.info 200 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6688DECA-B134-4ED9-9536-4A5E7AC057D1.data 45056 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6688DECA-B134-4ED9-9536-4A5E7AC057D1.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\66E3BC74-FE0A-4B5B-8CD6-67BED1CCC289.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\66E3BC74-FE0A-4B5B-8CD6-67BED1CCC289.data.info 276 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6711B148-396B-400F-B87E-D997B5F95F34.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6711B148-396B-400F-B87E-D997B5F95F34.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C219F124-0A53-4654-84DD-4F8D915CBF7B.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C219F124-0A53-4654-84DD-4F8D915CBF7B.data.info 152 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C26AF8CF-13B9-4C32-8F01-0153BDBB01A8.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C26AF8CF-13B9-4C32-8F01-0153BDBB01A8.data.info 158 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C4FA0098-EF90-4479-B7BD-2DBCF923799B.data 151552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C4FA0098-EF90-4479-B7BD-2DBCF923799B.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C5927C1B-B495-4D1F-83DC-C2561BA1DB25.data 25015296 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C5927C1B-B495-4D1F-83DC-C2561BA1DB25.data.info 138 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4C72BDB2-E630-40B0-B0D0-0B0774801AE7.data.info 178 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4D98FAA5-B039-4DFA-86E2-847A0E5A563A.data 222207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4D98FAA5-B039-4DFA-86E2-847A0E5A563A.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4DED451E-5EBB-454F-8D5E-0B6752A962FC.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4DED451E-5EBB-454F-8D5E-0B6752A962FC.data.info 152 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4E08D804-4B8C-4D35-B074-6B1A3D450EAB.data 1367552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4E08D804-4B8C-4D35-B074-6B1A3D450EAB.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4F0985BF-F239-4942-B508-3A5FA245755D.data 1367552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4F0985BF-F239-4942-B508-3A5FA245755D.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5310B830-0206-493F-A368-AC9CA6DC205E.data 25015296 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5310B830-0206-493F-A368-AC9CA6DC205E.data.info 130 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7FEA0C10-BA27-4433-88A4-0AE05FA5DB31.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\966F210A-7EE9-4D1C-BC74-C336BE2E0208.data 3717080 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A824D5FF-6FAC-4ED8-B700-12C559E5CBF6.data 38952 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BA19CB47-ED34-4059-B87D-E69D082DA176.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\C13678E6-D1F3-40D4-B7BB-D3229493E6C0.data.info 426 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CB937132-8CC5-4826-8C91-F2E92E03AC2F.data.info 74 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D2DBF21D-8BF7-490B-B73D-556154E2C121.data 147456 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E278608D-63C5-4D1D-9EEC-31E97266286D.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F2C2E544-9437-415C-93E0-7F2C78846572.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B3945EE1-834E-4416-9EE7-2B6511FEC0F7.data 467777 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B3945EE1-834E-4416-9EE7-2B6511FEC0F7.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B469ACE0-A656-4632-8DC2-37ADBFE13146.data 696831 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B469ACE0-A656-4632-8DC2-37ADBFE13146.data.info 134 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B7775F56-0997-421C-9FCC-F11C795F8227.data 916630 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B7775F56-0997-421C-9FCC-F11C795F8227.data.info 294 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B80472DD-34D3-4389-B6CF-DD59CA27F0D2.data 31205136 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B80472DD-34D3-4389-B6CF-DD59CA27F0D2.data.info 148 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B87FFA83-EE40-4A53-BE24-E1912A849568.data 1340416 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B87FFA83-EE40-4A53-BE24-E1912A849568.data.info 216 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BA19CB47-ED34-4059-B87D-E69D082DA176.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CC37D50E-9BD9-4A7B-B701-1A2F0DA99827.data 1112748 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CC37D50E-9BD9-4A7B-B701-1A2F0DA99827.data.info 210 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CD75E1DD-0BBC-45F8-95B0-2773CC9F10A6.data 222207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CD75E1DD-0BBC-45F8-95B0-2773CC9F10A6.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D066A3B9-B1A6-4FB4-A3FD-861CADAED5CF.data 389953 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D066A3B9-B1A6-4FB4-A3FD-861CADAED5CF.data.info 74 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D27811FA-A426-4AEE-8F4D-12369BBEE52E.data 696831 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D27811FA-A426-4AEE-8F4D-12369BBEE52E.data.info 134 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EF338B30-5C92-4362-B564-C016FFA89B0E.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EF338B30-5C92-4362-B564-C016FFA89B0E.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EFC22BA8-7AF7-4E11-AB33-68D511CB8346.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\EFC22BA8-7AF7-4E11-AB33-68D511CB8346.data.info 152 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F2054203-364A-4169-9496-B1AEBD1FCEFC.data 151552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F2054203-364A-4169-9496-B1AEBD1FCEFC.data.info 174 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F252C231-BC79-4EE0-A1A8-F9B7D623158E.data 1053023 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F252C231-BC79-4EE0-A1A8-F9B7D623158E.data.info 122 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4292DE94-9964-4BC6-A45C-2A9E51BF4A6F.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\43321F75-23CF-4F9E-B146-3CF0FBFF613C.data 45056 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\43321F75-23CF-4F9E-B146-3CF0FBFF613C.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\44951171-FE9B-4B63-B9CC-B82EE9F9ACA0.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\44951171-FE9B-4B63-B9CC-B82EE9F9ACA0.data.info 200 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\46E9515B-3A0E-4923-A8BD-8D3A04BD43B1.data 2473156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0E82A66A-13CE-4163-9313-22F4B5674503.data.info 130 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0F4EED58-973E-4436-AD42-14B4D50D348D.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0F4EED58-973E-4436-AD42-14B4D50D348D.data.info 126 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0FB580D6-6DFE-4FCB-97C5-36C2370B703E.data 389953 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0FB580D6-6DFE-4FCB-97C5-36C2370B703E.data.info 74 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\110856BA-F394-4376-9F41-3683502E2986.data 2961408 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\110856BA-F394-4376-9F41-3683502E2986.data.info 154 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\11A50DDF-F973-4059-86DC-5C9220A85BE1.data 342016 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\11A50DDF-F973-4059-86DC-5C9220A85BE1.data.info 186 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1250AD3B-6665-4C96-83A2-C4BD05651CFB.data 2473156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1250AD3B-6665-4C96-83A2-C4BD05651CFB.data.info 286 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8BBE3B77-8AF2-463E-992C-21FC2C9CF121.data 145408 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8BBE3B77-8AF2-463E-992C-21FC2C9CF121.data.info 316 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9128C568-FD01-4010-90F9-7B98AE2CBF87.data 107520 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9128C568-FD01-4010-90F9-7B98AE2CBF87.data.info 152 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93B410D2-2A1E-4323-B23C-95875C4A30D1.data 67584 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93B410D2-2A1E-4323-B23C-95875C4A30D1.data.info 258 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93C5C183-A9F2-426A-99D4-BCF51FB18667.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93C5C183-A9F2-426A-99D4-BCF51FB18667.data.info 208 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93DE55FB-2526-4A0D-AB31-8CE6BDF961FA.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93DE55FB-2526-4A0D-AB31-8CE6BDF961FA.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93EE987D-2613-4145-8F82-D7F23E3E31EB.data 438353 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\93EE987D-2613-4145-8F82-D7F23E3E31EB.data.info 334 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7AF26CFD-F7DB-4C54-81A9-F1F9BEE50D53.data 3717080 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7AF26CFD-F7DB-4C54-81A9-F1F9BEE50D53.data.info 124 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7C396BC5-3665-4A33-83A6-1C2559A233ED.data 726614 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7C396BC5-3665-4A33-83A6-1C2559A233ED.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7F415085-FC87-4EA5-8AB8-E1DF4B80182D.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7F415085-FC87-4EA5-8AB8-E1DF4B80182D.data.info 334 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\04E46C10-D7B8-413F-85FF-87E1ADC2651E.data.info 184 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\054B9FD5-BF51-43D4-A584-00E98761834A.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\054B9FD5-BF51-43D4-A584-00E98761834A.data.info 230 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\067B04D1-21E1-4F98-8AAE-5EF799A4BBDA.data 25015296 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\067B04D1-21E1-4F98-8AAE-5EF799A4BBDA.data.info 130 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0775C54B-1015-4BBC-A547-0A1234153CB2.data 3717080 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5FA9FA0D-C578-4D8D-A872-7C4CEE19D308.data.info 128 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\61AA7A94-9FF7-473C-8012-6129EF4178CE.data 2961408 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\61AA7A94-9FF7-473C-8012-6129EF4178CE.data.info 100 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\62C850D1-DA7E-4BAF-A09E-C73FAB1B7E2C.data 1087231 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\62C850D1-DA7E-4BAF-A09E-C73FAB1B7E2C.data.info 176 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6335D711-F936-4326-AF45-16C485DBC032.data 42667 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6335D711-F936-4326-AF45-16C485DBC032.data.info 212 bytes ---- EOF - GMER 2.0 ----