GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-06 19:00:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: orfq7pii.exe; Driver: C:\Users\Dominik\AppData\Local\Temp\agriifod.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88bee890} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88bee590} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88bee090} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88bedb90} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000771d7640 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000771d9554 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SetParent 00000000771d9870 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!PostMessageA 00000000771dca54 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!EnableWindow 00000000771dd0f0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!MoveWindow 00000000771dd120 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000771df0c4 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000771df690 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000771dfc50 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendMessageA 00000000771dfcd8 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000771e03f0 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000771e1f30 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000771e2294 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000771e3464 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000771e71e8 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!GetKeyState 00000000771e78c0 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000771e8e28 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000771e8f9c 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!PostMessageW 00000000771e92d4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendMessageW 00000000771ea800 2 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendMessageW + 3 00000000771ea803 2 bytes [E0, F8] .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000771f0bf8 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!GetClipboardData 00000000771f1584 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000771f2360 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000771f5508 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!mouse_event 00000000771f62c4 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000771f91a0 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000771f92e0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000771f9320 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendInput 00000000771f93d0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!BlockInput 00000000771fb430 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772216e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!keybd_event 0000000077244474 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007724cc58 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007724dec8 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\wininit.exe[948] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 000000014a510430 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000014a5103b0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000014a510320 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 000000014a510380 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 000000014a5102e0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 000000014a510410 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 000000014a5102d0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000014a510310 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000014a510390 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 000000014a5103c0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 000000014a510230 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffffd2fde890} .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 000000014a510370 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 000000014a5102f0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 000000014a510350 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 000000014a510290 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 000000014a5102b0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000014a5103a0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 000000014a510330 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffffd2fde590} .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 000000014a5103e0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 000000014a510240 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000014a5101e0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 000000014a510250 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffffd2fde090} .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 000000014a510470 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 000000014a510480 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 000000014a510300 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 000000014a510360 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 000000014a5102a0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 000000014a5102c0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 000000014a510340 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 000000014a510420 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 000000014a510260 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 000000014a510270 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 000000014a5103d0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffffd2fddb90} .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000014a5101f0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 000000014a510210 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000014a510200 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 000000014a5103f0 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 000000014a510400 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000014a510220 .text C:\Windows\system32\csrss.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 000000014a510280 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690440 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690430 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000077690450 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 0000000077690320 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000077690410 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690310 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 0000000077690390 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000077690230 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 0000000077690460 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690370 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690350 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000077690330 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690240 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000077690250 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000077690470 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000077690480 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000077690300 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690360 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690340 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690420 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690260 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690270 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776903d0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690210 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 0000000077690200 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690400 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690220 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\winlogon.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\services.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff616bd0 5 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000771d7640 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000771d9554 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SetParent 00000000771d9870 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!PostMessageA 00000000771dca54 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!EnableWindow 00000000771dd0f0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!MoveWindow 00000000771dd120 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000771df0c4 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000771df690 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000771dfc50 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendMessageA 00000000771dfcd8 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000771e03f0 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000771e1f30 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000771e2294 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000771e3464 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000771e71e8 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!GetKeyState 00000000771e78c0 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000771e8e28 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000771e8f9c 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!PostMessageW 00000000771e92d4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendMessageW 00000000771ea800 2 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendMessageW + 3 00000000771ea803 2 bytes [E0, F8] .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000771f0bf8 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!GetClipboardData 00000000771f1584 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000771f2360 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000771f5508 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!mouse_event 00000000771f62c4 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000771f91a0 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000771f92e0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000771f9320 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendInput 00000000771f93d0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!BlockInput 00000000771fb430 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772216e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!keybd_event 0000000077244474 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007724cc58 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007724dec8 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd910228 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910378 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b3ee90} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b3e890} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b3e590} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b3e090} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b3db90} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\lsass.exe[592] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b3ee90} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b3e890} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b3e590} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b3e090} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b3db90} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\lsm.exe[620] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff616bd0 5 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910378 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b3ee90} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b3e890} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b3e590} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b3e090} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b3db90} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff616bd0 5 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910378 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b3ee90} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b3e890} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b3e590} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b3e090} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b3db90} .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\System32\svchost.exe[1096] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff616bd0 5 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910378 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b3ee90} .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b3e890} .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b3e590} .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b3e090} .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b3db90} .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b3ee90} .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b3e890} .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b3e590} .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b3e090} .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b3db90} .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\taskeng.exe[1668] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100060440 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100060430 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100060450 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b2ee90} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100060380 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100060410 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100060230 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b2e890} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100060370 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100060350 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100060330 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b2e590} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100060240 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100060250 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b2e090} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100060470 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100060480 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100060300 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100060360 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100060340 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100060420 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100060260 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100060270 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000603d0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b2db90} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100060210 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100060280 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0xffffffff88b3ee90} .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0xffffffff88b3e890} .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0xffffffff88b3e590} .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0xffffffff88b3e090} .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0xffffffff88b3db90} .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff616bd0 5 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910378 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 00000001002dd120 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 00000001002efc20 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 00000001002ee100 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 00000001002eed90 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 00000001002ec3c0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 00000001002ee7a0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 00000001002f0080 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [C1, 88] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 00000001002efe40 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 00000001002ee400 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 00000001002ecde0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 00000001002eb670 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 00000001002ef8b0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 00000001002ebfe0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 00000001002eca40 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 00000001002ef6a0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 00000001002ef220 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 00000001002ef460 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 00000001002ec670 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 00000001002ef020 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 00000001002e7f40 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 00000001002dd240 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 00000001002e5070 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 00000001002e5c00 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 00000001002e3ba0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 00000001002dd270 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 00000001002db6e0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 00000001002db1a0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 00000001002dac20 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 00000001002d8140 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 00000001002dc160 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 00000001002dbc20 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 00000001002dc470 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001002d93d0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 00000001002d8c20 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 00000001002dbec0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 00000001002db980 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 00000001002d8980 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 00000001002d7ea0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 00000001002d9120 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 00000001002d9680 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 00000001002dcb20 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 00000001002d8780 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 00000001002d9eb0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 00000001002dc8b0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 00000001002da6a0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 00000001002d9c00 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 00000001002db440 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 00000001002daee0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 00000001002dc690 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 00000001002da160 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 00000001002d9930 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 00000001002d8370 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 00000001002d7c90 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001002e97c0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001002e99d0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 00000001002da960 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 00000001002da400 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 00000001002d8580 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 00000001002d8f00 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 00000001002e8d10 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 00000001002e9530 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 00000001002e9e10 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 00000001002e8d50 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 00000001002e9280 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 00000001002e8ae0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 00000001002e9d10 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 00000001002e8ff0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001002e44d0 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\Dwm.exe[2140] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[2168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000771d7640 8 bytes JMP 000000016fff06f8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000771d9554 7 bytes JMP 000000016fff0880 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SetParent 00000000771d9870 8 bytes JMP 000000016fff0730 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!PostMessageA 00000000771dca54 5 bytes JMP 000000016fff0308 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!EnableWindow 00000000771dd0f0 9 bytes JMP 000000016fff08f0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!MoveWindow 00000000771dd120 8 bytes JMP 000000016fff0768 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000771df0c4 5 bytes JMP 000000016fff06c0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000771df690 8 bytes JMP 000000016fff0848 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000771dfc50 5 bytes JMP 000000016fff0378 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendMessageA 00000000771dfcd8 5 bytes JMP 000000016fff03e8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000771e03f0 9 bytes JMP 000000016fff0570 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000771e1f30 7 bytes JMP 000000016fff08b8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000771e2294 9 bytes JMP 000000016fff0298 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000771e3464 10 bytes JMP 000000016fff03b0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000771e71e8 5 bytes JMP 000000016fff02d0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!GetKeyState 00000000771e78c0 5 bytes JMP 000000016fff0688 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000771e8e28 7 bytes JMP 000000016fff0500 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000771e8f9c 9 bytes JMP 000000016fff0490 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!PostMessageW 00000000771e92d4 7 bytes JMP 000000016fff0340 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendMessageW 00000000771ea800 2 bytes JMP 000000016fff0420 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendMessageW + 3 00000000771ea803 2 bytes [E0, F8] .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000771f0bf8 5 bytes JMP 000000016fff05e0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!GetClipboardData 00000000771f1584 5 bytes JMP 000000016fff0810 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000771f2360 8 bytes JMP 000000016fff07a0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000771f5508 12 bytes JMP 000000016fff0538 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!mouse_event 00000000771f62c4 7 bytes JMP 000000016fff0228 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000771f91a0 8 bytes JMP 000000016fff0650 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000771f92e0 12 bytes JMP 000000016fff0458 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000771f9320 12 bytes JMP 000000016fff0260 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendInput 00000000771f93d0 8 bytes JMP 000000016fff0618 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!BlockInput 00000000771fb430 8 bytes JMP 000000016fff07d8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772216e0 5 bytes JMP 000000016fff0928 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!keybd_event 0000000077244474 7 bytes JMP 000000016fff01f0 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007724cc58 5 bytes JMP 000000016fff05a8 .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007724dec8 7 bytes JMP 000000016fff04c8 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 00000001002ad120 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 00000001002bfc20 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 00000001002be100 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 00000001002bed90 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 00000001002bc3c0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 00000001002be7a0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 00000001002c0080 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [BE, 88] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 00000001002bfe40 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 00000001002be400 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 00000001002bcde0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 00000001002bb670 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 00000001002bf8b0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 00000001002bbfe0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 00000001002bca40 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 00000001002bf6a0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 00000001002bf220 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 00000001002bf460 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 00000001002bc670 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 00000001002bf020 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 00000001002b7f40 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 00000001002ad240 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 00000001002b5070 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 00000001002b5c00 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 00000001002b3ba0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 00000001002ad270 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001002b44d0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 00000001002ab6e0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 00000001002ab1a0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 00000001002aac20 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 00000001002a8140 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 00000001002ac160 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 00000001002abc20 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 00000001002ac470 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001002a93d0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 00000001002a8c20 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 00000001002abec0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 00000001002ab980 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 00000001002a8980 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 00000001002a7ea0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 00000001002a9120 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 00000001002a9680 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 00000001002acb20 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 00000001002a8780 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 00000001002a9eb0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 00000001002ac8b0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 00000001002aa6a0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 00000001002a9c00 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 00000001002ab440 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 00000001002aaee0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 00000001002ac690 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 00000001002aa160 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 00000001002a9930 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 00000001002a8370 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 00000001002a7c90 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001002b97c0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001002b99d0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 00000001002aa960 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 00000001002aa400 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 00000001002a8580 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 00000001002a8f00 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 00000001002b8d10 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 00000001002b9530 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 00000001002b9e10 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 00000001002b8d50 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 00000001002b9280 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 00000001002b8ae0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 00000001002b9d10 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 00000001002b8ff0 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Users\Dominik\AppData\Local\CrossLoop\CrossLoopService.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\ProgramData\Browser Manager\2.6.1123.78\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Windows\SysWow64\WinFLService.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2576] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 0000000100d3d120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 0000000100d4fc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 0000000100d4e100 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 0000000100d4ed90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 0000000100d4c3c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 0000000100d4e7a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000100d50080 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [67, 89] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 0000000100d4fe40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 0000000100d4e400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 0000000100d4cde0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 0000000100d4b670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 0000000100d4f8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 0000000100d4bfe0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 0000000100d4ca40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 0000000100d4f6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 0000000100d4f220 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 0000000100d4f460 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 0000000100d4c670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 0000000100d4f020 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000100d47f40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 0000000100d3d240 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 0000000100d45070 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 0000000100d45c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000100d43ba0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 0000000100d3d270 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000100d48d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000100d49530 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000100d49e10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000100d48d50 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000100d49280 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000100d48ae0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000100d49d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000100d48ff0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 0000000100d3b6e0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 0000000100d3b1a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 0000000100d3ac20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000100d38140 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 0000000100d3c160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 0000000100d3bc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 0000000100d3c470 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 0000000100d393d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000100d38c20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 0000000100d3bec0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 0000000100d3b980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000100d38980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000100d37ea0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000100d39120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000100d39680 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 0000000100d3cb20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000100d38780 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000100d39eb0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 0000000100d3c8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 0000000100d3a6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000100d39c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 0000000100d3b440 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 0000000100d3aee0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 0000000100d3c690 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 0000000100d3a160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000100d39930 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000100d38370 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000100d37c90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 0000000100d497c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 0000000100d499d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 0000000100d3a960 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 0000000100d3a400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000100d38580 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000100d38f00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 0000000100d444d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\pg_ctl.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2888] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\WsxService.exe[2004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000010025d120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000010026fc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000010026e100 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000010026ed90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000010026c3c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000010026e7a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000100270080 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [B9, 88] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000010026fe40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000010026e400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000010026cde0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000010026b670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000010026f8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000010026bfe0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000010026ca40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000010026f6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000010026f220 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000010026f460 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000010026c670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000010026f020 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000100267f40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000010025d240 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 0000000100265070 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 0000000100265c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000100263ba0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000010025d270 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000100268d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000100269530 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000100269e10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000100268d50 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000100269280 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000100268ae0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000100269d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000100268ff0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000010025b6e0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000010025b1a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000010025ac20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000100258140 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000010025c160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000010025bc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000010025c470 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001002593d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000100258c20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000010025bec0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000010025b980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000100258980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000100257ea0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000100259120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000100259680 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000010025cb20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000100258780 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000100259eb0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000010025c8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000010025a6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000100259c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000010025b440 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000010025aee0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000010025c690 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000010025a160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000100259930 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000100258370 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000100257c90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001002697c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001002699d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000010025a960 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000010025a400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000100258580 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000100258f00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001002644d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\conhost.exe[2244] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 0000000100eed120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 0000000100effc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 0000000100efe100 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 0000000100efed90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 0000000100efc3c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 0000000100efe7a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000100f00080 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [82, 89] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 0000000100effe40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 0000000100efe400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 0000000100efcde0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 0000000100efb670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 0000000100eff8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 0000000100efbfe0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 0000000100efca40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 0000000100eff6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 0000000100eff220 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 0000000100eff460 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 0000000100efc670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 0000000100eff020 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000100ef7f40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 0000000100eed240 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 0000000100ef5070 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 0000000100ef5c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000100ef3ba0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 0000000100eed270 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000100ef8d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000100ef9530 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000100ef9e10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000100ef8d50 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000100ef9280 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000100ef8ae0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000100ef9d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000100ef8ff0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 0000000100eeb6e0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 0000000100eeb1a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 0000000100eeac20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000100ee8140 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 0000000100eec160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 0000000100eebc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 0000000100eec470 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 0000000100ee93d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000100ee8c20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 0000000100eebec0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 0000000100eeb980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000100ee8980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000100ee7ea0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000100ee9120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000100ee9680 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 0000000100eecb20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000100ee8780 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000100ee9eb0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 0000000100eec8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 0000000100eea6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000100ee9c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 0000000100eeb440 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 0000000100eeaee0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 0000000100eec690 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 0000000100eea160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000100ee9930 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000100ee8370 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000100ee7c90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 0000000100ef97c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 0000000100ef99d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 0000000100eea960 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 0000000100eea400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000100ee8580 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000100ee8f00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 0000000100ef44d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 00000001013bd120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 00000001013cfc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 00000001013ce100 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 00000001013ced90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 00000001013cc3c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 00000001013ce7a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 00000001013d0080 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [CF, 89] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 00000001013cfe40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 00000001013ce400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 00000001013ccde0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 00000001013cb670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 00000001013cf8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 00000001013cbfe0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 00000001013cca40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 00000001013cf6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 00000001013cf220 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 00000001013cf460 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 00000001013cc670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 00000001013cf020 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 00000001013c7f40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 00000001013bd240 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 00000001013c5070 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 00000001013c5c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 00000001013c3ba0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 00000001013bd270 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 00000001013c8d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 00000001013c9530 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 00000001013c9e10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 00000001013c8d50 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 00000001013c9280 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 00000001013c8ae0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 00000001013c9d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 00000001013c8ff0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 00000001013bb6e0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 00000001013bb1a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 00000001013bac20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 00000001013b8140 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 00000001013bc160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 00000001013bbc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 00000001013bc470 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001013b93d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 00000001013b8c20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 00000001013bbec0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 00000001013bb980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 00000001013b8980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 00000001013b7ea0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 00000001013b9120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 00000001013b9680 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 00000001013bcb20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 00000001013b8780 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 00000001013b9eb0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 00000001013bc8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 00000001013ba6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 00000001013b9c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 00000001013bb440 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 00000001013baee0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 00000001013bc690 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 00000001013ba160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 00000001013b9930 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 00000001013b8370 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 00000001013b7c90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001013c97c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001013c99d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 00000001013ba960 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 00000001013ba400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 00000001013b8580 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 00000001013b8f00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001013c44d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 0000000100ced120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 0000000100cffc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 0000000100cfe100 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 0000000100cfed90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 0000000100cfc3c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 0000000100cfe7a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000100d00080 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [62, 89] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 0000000100cffe40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 0000000100cfe400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 0000000100cfcde0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 0000000100cfb670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 0000000100cff8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 0000000100cfbfe0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 0000000100cfca40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 0000000100cff6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 0000000100cff220 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 0000000100cff460 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 0000000100cfc670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 0000000100cff020 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000100cf7f40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 0000000100ced240 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 0000000100cf5070 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 0000000100cf5c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000100cf3ba0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 0000000100ced270 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000100cf8d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000100cf9530 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000100cf9e10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000100cf8d50 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000100cf9280 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000100cf8ae0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000100cf9d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000100cf8ff0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 0000000100ceb6e0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 0000000100ceb1a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 0000000100ceac20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000100ce8140 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 0000000100cec160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 0000000100cebc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 0000000100cec470 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 0000000100ce93d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000100ce8c20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 0000000100cebec0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 0000000100ceb980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000100ce8980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000100ce7ea0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000100ce9120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000100ce9680 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 0000000100cecb20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000100ce8780 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000100ce9eb0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 0000000100cec8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 0000000100cea6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000100ce9c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 0000000100ceb440 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 0000000100ceaee0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 0000000100cec690 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 0000000100cea160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000100ce9930 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000100ce8370 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000100ce7c90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 0000000100cf97c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 0000000100cf99d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 0000000100cea960 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 0000000100cea400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000100ce8580 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000100ce8f00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 0000000100cf44d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 00000001003cd120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 00000001003dfc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 00000001003de100 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 00000001003ded90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 00000001003dc3c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 00000001003de7a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 00000001003e0080 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [D0, 88] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 00000001003dfe40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 00000001003de400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 00000001003dcde0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 00000001003db670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 00000001003df8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 00000001003dbfe0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 00000001003dca40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 00000001003df6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 00000001003df220 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 00000001003df460 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 00000001003dc670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 00000001003df020 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 00000001003d7f40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 00000001003cd240 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 00000001003d5070 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 00000001003d5c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 00000001003d3ba0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 00000001003cd270 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 00000001003d8d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 00000001003d9530 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 00000001003d9e10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 00000001003d8d50 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 00000001003d9280 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 00000001003d8ae0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 00000001003d9d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 00000001003d8ff0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 00000001003cb6e0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 00000001003cb1a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 00000001003cac20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 00000001003c8140 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 00000001003cc160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 00000001003cbc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 00000001003cc470 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001003c93d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 00000001003c8c20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 00000001003cbec0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 00000001003cb980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 00000001003c8980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 00000001003c7ea0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 00000001003c9120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 00000001003c9680 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 00000001003ccb20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 00000001003c8780 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 00000001003c9eb0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 00000001003cc8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 00000001003ca6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 00000001003c9c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 00000001003cb440 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 00000001003caee0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 00000001003cc690 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 00000001003ca160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 00000001003c9930 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 00000001003c8370 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 00000001003c7c90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001003d97c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001003d99d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 00000001003ca960 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 00000001003ca400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 00000001003c8580 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 00000001003c8f00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001003d44d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 0000000100d2d120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 0000000100d3fc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 0000000100d3e100 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 0000000100d3ed90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 0000000100d3c3c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 0000000100d3e7a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000100d40080 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [66, 89] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 0000000100d3fe40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 0000000100d3e400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 0000000100d3cde0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 0000000100d3b670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 0000000100d3f8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 0000000100d3bfe0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 0000000100d3ca40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 0000000100d3f6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 0000000100d3f220 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 0000000100d3f460 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 0000000100d3c670 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 0000000100d3f020 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000100d37f40 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 0000000100d2d240 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 0000000100d35070 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 0000000100d35c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000100d33ba0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 0000000100d2d270 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000100d38d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000100d39530 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000100d39e10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000100d38d50 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000100d39280 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000100d38ae0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000100d39d10 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000100d38ff0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 0000000100d2b6e0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 0000000100d2b1a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 0000000100d2ac20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000100d28140 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 0000000100d2c160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 0000000100d2bc20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 0000000100d2c470 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 0000000100d293d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000100d28c20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 0000000100d2bec0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 0000000100d2b980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000100d28980 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000100d27ea0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000100d29120 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000100d29680 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 0000000100d2cb20 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000100d28780 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000100d29eb0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 0000000100d2c8b0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 0000000100d2a6a0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000100d29c00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 0000000100d2b440 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 0000000100d2aee0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 0000000100d2c690 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 0000000100d2a160 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000100d29930 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000100d28370 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000100d27c90 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 0000000100d397c0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 0000000100d399d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 0000000100d2a960 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 0000000100d2a400 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000100d28580 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000100d28f00 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 0000000100d344d0 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Varico\VaricoPostgres\bin\postgres.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\alg.exe[3624] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[3704] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 0000000102b2d120 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 0000000102b3fc20 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 0000000102b3e100 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 0000000102b3ed90 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 0000000102b3c3c0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 0000000102b3e7a0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000102b40080 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [46, 8B] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 0000000102b3fe40 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 0000000102b3e400 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 0000000102b3cde0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 0000000102b3b670 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 0000000102b3f8b0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 0000000102b3bfe0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 0000000102b3ca40 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 0000000102b3f6a0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 0000000102b3f220 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 0000000102b3f460 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 0000000102b3c670 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 0000000102b3f020 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000102b37f40 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 0000000102b2d240 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 0000000102b35070 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 0000000102b35c00 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000102b33ba0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 0000000102b2d270 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 0000000102b344d0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 0000000102b2b6e0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 0000000102b2b1a0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 0000000102b2ac20 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000102b28140 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 0000000102b2c160 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 0000000102b2bc20 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 0000000102b2c470 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 0000000102b293d0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000102b28c20 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 0000000102b2bec0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 0000000102b2b980 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000102b28980 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000102b27ea0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000102b29120 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000102b29680 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 0000000102b2cb20 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000102b28780 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000102b29eb0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 0000000102b2c8b0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 0000000102b2a6a0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000102b29c00 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 0000000102b2b440 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 0000000102b2aee0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 0000000102b2c690 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 0000000102b2a160 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000102b29930 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000102b28370 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000102b27c90 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 0000000102b397c0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 0000000102b399d0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 0000000102b2a960 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 0000000102b2a400 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000102b28580 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000102b28f00 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000102b38d10 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000102b39530 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000102b39e10 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000102b38d50 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000102b39280 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000102b38ae0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000102b39d10 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000102b38ff0 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[2988] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690440 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690430 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077531490 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 0000000077690450 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903b0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 0000000077690320 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000077690380 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902e0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 0000000077690410 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902d0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690310 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 0000000077690390 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903c0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 0000000077690230 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x15e890} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 0000000077690460 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690370 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902f0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690350 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690290 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902b0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903a0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 0000000077690330 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x15e590} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776903e0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690240 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901e0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 0000000077690250 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x15e090} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000077690470 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000077690480 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000077690300 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690360 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776902a0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902c0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690340 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690420 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690260 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690270 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776903d0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x15db90} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901f0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690210 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 0000000077690200 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776903f0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690400 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690220 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 0000000077690280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd9102d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd910340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd9103b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3972] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910378 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 6 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\hkcmd.exe[1412] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 00000001004ad120 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 00000001004bfc20 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 00000001004be100 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 00000001004bed90 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 00000001004bc3c0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 00000001004be7a0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 00000001004c0080 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [DE, 88] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 00000001004bfe40 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 00000001004be400 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 00000001004bcde0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 00000001004bb670 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 00000001004bf8b0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 00000001004bbfe0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 00000001004bca40 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 00000001004bf6a0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 00000001004bf220 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 00000001004bf460 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 00000001004bc670 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 00000001004bf020 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 00000001004b7f40 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 00000001004ad240 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 00000001004b5070 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 00000001004b5c00 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 00000001004b3ba0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 00000001004ad270 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 00000001004ab6e0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 00000001004ab1a0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 00000001004aac20 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 00000001004a8140 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 00000001004ac160 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 00000001004abc20 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 00000001004ac470 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001004a93d0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 00000001004a8c20 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 00000001004abec0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 00000001004ab980 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 00000001004a8980 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 00000001004a7ea0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 00000001004a9120 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 00000001004a9680 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 00000001004acb20 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 00000001004a8780 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 00000001004a9eb0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 00000001004ac8b0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 00000001004aa6a0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 00000001004a9c00 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 00000001004ab440 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 00000001004aaee0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 00000001004ac690 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 00000001004aa160 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 00000001004a9930 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 00000001004a8370 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 00000001004a7c90 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001004b97c0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001004b99d0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 00000001004aa960 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 00000001004aa400 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 00000001004a8580 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 00000001004a8f00 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 00000001004b8d10 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 00000001004b9530 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 00000001004b9e10 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 00000001004b8d50 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 00000001004b9280 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 00000001004b8ae0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 00000001004b9d10 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 00000001004b8ff0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001004b44d0 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE[4052] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Winstep\Nexus.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4548] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\SearchIndexer.exe[4560] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\System32\svchost.exe[2432] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5208] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\sppsvc.exe[5312] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 00000001003ad120 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 00000001003bfc20 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 00000001003be100 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 00000001003bed90 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 00000001003bc3c0 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 00000001003be7a0 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 00000001003c0080 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [CE, 88] .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 00000001003bfe40 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 00000001003be400 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 00000001003bcde0 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 00000001003bb670 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 00000001003bf8b0 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 00000001003bbfe0 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 00000001003bca40 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 00000001003bf6a0 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 00000001003bf220 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 00000001003bf460 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 00000001003bc670 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 00000001003bf020 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 00000001003b7f40 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 00000001003ad240 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 5 bytes JMP 00000001003b5070 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 5 bytes JMP 00000001003b5c00 .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe[720] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 00000001003b3ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\System32\svchost.exe[5976] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff2ea1a0 7 bytes JMP 000007fffd910180 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe[1776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\svchost.exe[3736] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077503ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077507a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 00000000776a0440 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077531400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 00000000776a0430 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 1 byte JMP 00000000776a0450 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000775315c2 3 bytes {JMP 0x16ee90} .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077531640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776a0380 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776a02e0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077531720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077531760 5 bytes JMP 00000000776a0410 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776a02d0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077531842 3 bytes {JMP 0xfffffffff8abf190} .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077531860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 1 byte JMP 00000000776a0230 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000775319a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077531a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 00000000776a0370 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077531c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776a02f0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 00000000776a0350 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 00000000776a0290 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776a02b0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077531d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 1 byte JMP 00000000776a0330 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077531da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 00000000776a03e0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 00000000776a0240 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077532190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 1 byte JMP 00000000776a0250 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000775321c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776a0470 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776a0480 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776a0300 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 00000000776a0360 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 00000000776a02a0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776a02c0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 00000000776a0340 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 00000000776a0420 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 00000000776a0260 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 00000000776a0270 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 1 byte JMP 00000000776a03d0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077532842 3 bytes {JMP 0x16db90} .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 00000000776a0210 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 00000000776a03f0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 00000000776a0400 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 5 bytes JMP 00000000776a0280 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f5a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f71b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076faeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076fe8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda067c0 7 bytes JMP 000007fffd910148 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122cc 5 bytes JMP 000007fffd910260 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124c0 5 bytes JMP 000007fffd910298 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 5 bytes JMP 000007fffd9102d0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218398 9 bytes JMP 000007fffd9101f0 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c8 9 bytes JMP 000007fffd9101b8 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!GetPixel 000007feff219344 5 bytes JMP 000007fffd910228 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 5 bytes JMP 000007fffd910340 .text C:\Windows\system32\AUDIODG.EXE[2136] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff225410 5 bytes JMP 000007fffd910308 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\OTL.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text C:\Windows\SysWOW64\ctfmon.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776df9c0 5 bytes JMP 000000011001d120 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776dfc90 5 bytes JMP 000000011002fc20 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776dfd44 5 bytes JMP 000000011002e100 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776dfda8 5 bytes JMP 000000011002ed90 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776dfea0 5 bytes JMP 000000011002c3c0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776dff84 5 bytes JMP 000000011002e7a0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776dffe4 2 bytes JMP 0000000110030080 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000776dffe7 2 bytes [95, 98] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776e0064 5 bytes JMP 000000011002fe40 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776e0094 5 bytes JMP 000000011002e400 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776e0398 5 bytes JMP 000000011002cde0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776e0530 5 bytes JMP 000000011002b670 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776e0674 5 bytes JMP 000000011002f8b0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776e086c 5 bytes JMP 000000011002bfe0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776e0884 5 bytes JMP 000000011002ca40 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776e0dd4 5 bytes JMP 000000011002f6a0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776e0eb8 5 bytes JMP 000000011002f220 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776e1bc4 5 bytes JMP 000000011002f460 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776e1c94 5 bytes JMP 000000011002c670 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776e1d6c 5 bytes JMP 000000011002f020 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776fc45a 5 bytes JMP 0000000110027f40 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077701217 7 bytes JMP 000000011001d240 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007677103d 3 bytes JMP 0000000110025070 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 4 0000000076771041 1 byte [99] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076771072 3 bytes JMP 0000000110025c00 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\kernel32.dll!CreateProcessA + 4 0000000076771076 1 byte [99] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007679a30a 1 byte [62] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007679c9b5 5 bytes JMP 0000000110023ba0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075308e6e 5 bytes JMP 000000011001b6e0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007530cd35 5 bytes JMP 000000011001b1a0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007530d0da 5 bytes JMP 000000011001ac20 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007530d277 5 bytes JMP 0000000110018140 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007530f0e6 5 bytes JMP 000000011001c160 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075310f14 5 bytes JMP 000000011001bc20 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075310f9f 7 bytes JMP 000000011001c470 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075312902 5 bytes JMP 00000001100193d0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000753135fb 5 bytes JMP 0000000110018c20 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075313cbf 5 bytes JMP 000000011001bec0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075313d76 5 bytes JMP 000000011001b980 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SetParent 0000000075313f14 5 bytes JMP 0000000110018980 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075313f54 5 bytes JMP 0000000110017ea0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075314858 5 bytes JMP 0000000110019120 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007531492a 5 bytes JMP 0000000110019680 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075318364 5 bytes JMP 000000011001cb20 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007531b7e6 5 bytes JMP 0000000110018780 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007531c991 5 bytes JMP 0000000110019eb0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753206b3 5 bytes JMP 000000011001c8b0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007532090f 5 bytes JMP 000000011001a6a0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075322959 5 bytes JMP 0000000110019c00 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075322a62 5 bytes JMP 00000001729a44c0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007532eef4 5 bytes JMP 000000011001b440 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007532f422 5 bytes JMP 000000011001aee0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007532f9b0 7 bytes JMP 000000011001c690 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075330f60 5 bytes JMP 000000011001a160 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendInput 000000007533195e 5 bytes JMP 0000000110019930 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075349f3b 5 bytes JMP 0000000110018370 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000753515ef 5 bytes JMP 0000000110017c90 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!mouse_event 000000007536040b 5 bytes JMP 00000001100297c0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!keybd_event 000000007536044f 5 bytes JMP 00000001100299d0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075366e8c 5 bytes JMP 000000011001a960 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075366eed 5 bytes JMP 000000011001a400 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075367f67 5 bytes JMP 0000000110018580 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075368a7b 5 bytes JMP 0000000110018f00 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755058b3 5 bytes JMP 0000000110028d10 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075505ea6 5 bytes JMP 0000000110029530 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075507bcc 5 bytes JMP 0000000110029e10 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007550b895 5 bytes JMP 0000000110028d50 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007550c332 5 bytes JMP 0000000110029280 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007550cbfb 5 bytes JMP 0000000110028ae0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007550e743 5 bytes JMP 0000000110029d10 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075534646 5 bytes JMP 0000000110028ff0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000074e42538 5 bytes JMP 00000001100244d0 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes [21, 75] .text ... * 9 .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes [21, 75] .text D:\@ PROGRAMY @\Rootkit Spyware\orfq7pii.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes [21, 75] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [1401caad0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [1401cbfb0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\VERSION.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\VERSION.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\VERSION.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DefFrameProcW] [1401cb110] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DrawMenuBar] [1401cc050] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3964] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe ---- Threads - GMER 2.0 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4788:4236] 000007fefb692a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4788:3116] 000007fef016d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4788:4616] 000007fef9eb5124 Thread C:\Windows\System32\svchost.exe [5976:6028] 000007fef5e79688 ---- EOF - GMER 2.0 ----