GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-28 14:32:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST964032 rev.0001 596,17GB Running: gmer.exe; Driver: C:\Users\Monika\AppData\Local\Temp\uxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff8897e890} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff8897e590} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff8897e090} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077536ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077538184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SetParent 0000000077538530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!PostMessageA 000000007753a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!EnableWindow 000000007753aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!MoveWindow 000000007753aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007753c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007753cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007753d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendMessageA 000000007753d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007753dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007753f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007753f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007753fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077540b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077544d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!GetKeyState 0000000077545010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077545438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendMessageW 0000000077546b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!PostMessageW 00000000775476e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007754dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!GetClipboardData 000000007754e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007754f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000775528e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!mouse_event 0000000077553894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077558a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077558be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077558c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendInput 0000000077558cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!BlockInput 000000007755ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775814e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!keybd_event 00000000775a45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775acc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775adf18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000149960460 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000149960370 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000001499603e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000149960320 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001499603b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000149960390 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001499602e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000149960440 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001499602d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000149960310 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000001499603c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000001499603f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000149960230 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffffd21be890} .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001499603a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001499602f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000149960350 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000149960290 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001499602b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000001499603d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000149960330 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffffd21be590} .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000149960410 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000149960240 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000001499601e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000149960250 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffffd21be090} .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000001499604a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001499604b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000149960300 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000149960360 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001499602a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001499602c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000149960380 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000149960340 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000149960450 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000149960260 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000149960270 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000149960400 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000001499601f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000149960210 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000149960200 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000149960420 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000149960430 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000149960220 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000149960280 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\services.exe[676] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff6a6bd0 5 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077536ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077538184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SetParent 0000000077538530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!PostMessageA 000000007753a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!EnableWindow 000000007753aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!MoveWindow 000000007753aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007753c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007753cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007753d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendMessageA 000000007753d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007753dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007753f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007753f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007753fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077540b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077544d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!GetKeyState 0000000077545010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077545438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendMessageW 0000000077546b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!PostMessageW 00000000775476e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007754dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!GetClipboardData 000000007754e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007754f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000775528e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!mouse_event 0000000077553894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077558a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077558be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077558c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendInput 0000000077558cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!BlockInput 000000007755ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775814e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!keybd_event 00000000775a45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775acc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775adf18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd500228 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500378 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\lsass.exe[684] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900460 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900480 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077900440 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900490 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004b0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900450 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\winlogon.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff6a6bd0 5 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500378 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500340 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[912] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff6a6bd0 5 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500378 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\atiesrxx.exe[508] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\System32\svchost.exe[932] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff6a6bd0 5 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500378 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\AUDIODG.EXE[1188] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff6a6bd0 5 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500378 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\atieclxx.exe[1432] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\FBAgent.exe[1588] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1616] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1652] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\System32\spoolsv.exe[1936] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000010025d120 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000010026fc20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000010026e100 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000010026ed90 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000010026c3c0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000010026e7a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000100270080 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [92, 88] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000010026fe40 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000010026e400 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000010026cde0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000010026b670 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000010026f8b0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000010026bfe0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000010026ca40 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000010026f6a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000010026f220 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000010026f460 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000010026c670 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000010026f020 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000100267f40 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000010025d240 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000100265070 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000100265c00 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000100263ba0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000010025d270 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000010025b6e0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000010025c470 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000010025b1a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000010025ac20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000010025c160 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000100258140 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000010025bc20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001002593d0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000100258980 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000100257ea0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000100258c20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000010025bec0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000010025b980 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000010025b440 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000010025c690 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000010025c8b0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000010025a160 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000010025a6a0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000010025aee0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000010025cb20 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000100258780 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000100259eb0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000100259c00 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000100259120 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000100259680 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000100259930 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000100258370 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000100257c90 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001002697c0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001002699d0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000010025a960 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000010025a400 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000100258580 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000100258f00 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000100268d10 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000100269530 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000100269e10 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000100268d50 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000100269280 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000100268ae0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000100269d10 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000100268ff0 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1732] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001002644d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\taskeng.exe[2672] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704b0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[2740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077536ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077538184 7 bytes JMP 000000016fff0880 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SetParent 0000000077538530 8 bytes JMP 000000016fff0730 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!PostMessageA 000000007753a404 5 bytes JMP 000000016fff0308 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!EnableWindow 000000007753aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!MoveWindow 000000007753aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007753c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007753cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007753d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendMessageA 000000007753d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007753dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007753f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007753f874 9 bytes JMP 000000016fff0298 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007753fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077540b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077544d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!GetKeyState 0000000077545010 5 bytes JMP 000000016fff0688 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077545438 7 bytes JMP 000000016fff0500 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendMessageW 0000000077546b50 5 bytes JMP 000000016fff0420 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!PostMessageW 00000000775476e4 7 bytes JMP 000000016fff0340 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007754dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!GetClipboardData 000000007754e874 5 bytes JMP 000000016fff0810 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007754f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000775528e4 12 bytes JMP 000000016fff0538 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!mouse_event 0000000077553894 7 bytes JMP 000000016fff0228 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077558a10 8 bytes JMP 000000016fff0650 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077558be0 12 bytes JMP 000000016fff0458 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077558c20 12 bytes JMP 000000016fff0260 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendInput 0000000077558cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!BlockInput 000000007755ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775814e0 5 bytes JMP 000000016fff0928 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!keybd_event 00000000775a45a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775acc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\Explorer.EXE[2740] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775adf18 7 bytes JMP 000000016fff04c8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2144] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000010032d120 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000010033fc20 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000010033e100 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000010033ed90 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000010033c3c0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000010033e7a0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000100340080 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [9F, 88] .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000010033fe40 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000010033e400 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000010033cde0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000010033b670 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000010033f8b0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000010033bfe0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000010033ca40 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000010033f6a0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000010033f220 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000010033f460 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000010033c670 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000010033f020 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000100337f40 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000010032d240 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000100335070 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000100335c00 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[1884] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000100333ba0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files\Elantech\ETDCtrl.exe[2864] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\SysWOW64\ACEngSvr.exe[2816] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[2496] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900470 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900460 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777a1490 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900480 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077900440 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900490 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779004a0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004b0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900450 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\WindowsMobile\wmdc.exe[1536] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3496] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3584] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000010024d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000010025fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000010025e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000010025ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000010025c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000010025e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000100260080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [91, 88] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000010025fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000010025e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000010025cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000010025b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000010025f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000010025bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000010025ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000010025f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000010025f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000010025f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000010025c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000010025f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000100257f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000010024d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000100255070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000100255c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000100253ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000010024d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000010024b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000010024c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000010024b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000010024ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000010024c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000100248140 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000010024bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001002493d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000100248980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000100247ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000100248c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000010024bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000010024b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000010024b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000010024c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000010024c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000010024a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000010024a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000010024aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000010024cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000100248780 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000100249eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000100249c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000100249120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000100249680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000100249930 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000100248370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000100247c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001002597c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001002599d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000010024a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000010024a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000100248580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000100248f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000100258d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000100259530 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000100259e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000100258d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000100259280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000100258ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000100259d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000100258ff0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3644] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001002544d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 00000001004bd120 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 00000001004cfc20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 00000001004ce100 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 00000001004ced90 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 00000001004cc3c0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 00000001004ce7a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 00000001004d0080 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [B8, 88] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 00000001004cfe40 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 00000001004ce400 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 00000001004ccde0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 00000001004cb670 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 00000001004cf8b0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 00000001004cbfe0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 00000001004cca40 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 00000001004cf6a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 00000001004cf220 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 00000001004cf460 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 00000001004cc670 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 00000001004cf020 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 00000001004c7f40 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 00000001004bd240 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 00000001004c5070 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 00000001004c5c00 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 00000001004c3ba0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 00000001004bd270 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 00000001004bb6e0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 00000001004bc470 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 00000001004bb1a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 00000001004bac20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001004bc160 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 00000001004b8140 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 00000001004bbc20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001004b93d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 00000001004b8980 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 00000001004b7ea0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 00000001004b8c20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 00000001004bbec0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 00000001004bb980 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 00000001004bb440 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 00000001004bc690 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 00000001004bc8b0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 00000001004ba160 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 00000001004ba6a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 00000001004baee0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001004bcb20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 00000001004b8780 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 00000001004b9eb0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 00000001004b9c00 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 00000001004b9120 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 00000001004b9680 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 00000001004b9930 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 00000001004b8370 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 00000001004b7c90 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001004c97c0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001004c99d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 00000001004ba960 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 00000001004ba400 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 00000001004b8580 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 00000001004b8f00 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 00000001004c8d10 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 00000001004c9530 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 00000001004c9e10 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 00000001004c8d50 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 00000001004c9280 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 00000001004c8ae0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 00000001004c9d10 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 00000001004c8ff0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001004c44d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000010045d120 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000010046fc20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000010046e100 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000010046ed90 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000010046c3c0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000010046e7a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000100470080 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [B2, 88] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000010046fe40 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000010046e400 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000010046cde0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000010046b670 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000010046f8b0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000010046bfe0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000010046ca40 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000010046f6a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000010046f220 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000010046f460 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000010046c670 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000010046f020 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000100467f40 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000010045d240 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000100465070 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000100465c00 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000100463ba0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000010045d270 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000010045b6e0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000010045c470 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000010045b1a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000010045ac20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000010045c160 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000100458140 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000010045bc20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001004593d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000100458980 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000100457ea0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000100458c20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000010045bec0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000010045b980 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000010045b440 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000010045c690 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000010045c8b0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000010045a160 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000010045a6a0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000010045aee0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000010045cb20 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000100458780 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000100459eb0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000100459c00 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000100459120 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000100459680 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000100459930 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000100458370 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000100457c90 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001004697c0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001004699d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000010045a960 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000010045a400 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000100458580 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000100458f00 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000100468d10 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000100469530 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000100469e10 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000100468d50 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000100469280 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000100468ae0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000100469d10 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000100468ff0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001004644d0 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3884] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3900] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe[3988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 00000001006fd120 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000010070fc20 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000010070e100 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000010070ed90 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000010070c3c0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000010070e7a0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000100710080 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [DC, 88] .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000010070fe40 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000010070e400 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000010070cde0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000010070b670 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000010070f8b0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000010070bfe0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000010070ca40 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000010070f6a0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000010070f220 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000010070f460 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000010070c670 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000010070f020 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000100707f40 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 00000001006fd240 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000100705070 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000100705c00 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000100703ba0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 00000001006fd270 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001007044d0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000100708d10 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000100709530 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000100709e10 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000100708d50 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000100709280 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000100708ae0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000100709d10 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000100708ff0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 00000001006fb6e0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 00000001006fc470 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 00000001006fb1a0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 00000001006fac20 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001006fc160 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 00000001006f8140 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 00000001006fbc20 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001006f93d0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 00000001006f8980 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 00000001006f7ea0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 00000001006f8c20 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 00000001006fbec0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 00000001006fb980 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 00000001006fb440 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 00000001006fc690 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 00000001006fc8b0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 00000001006fa160 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 00000001006fa6a0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 00000001006faee0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001006fcb20 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 00000001006f8780 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 00000001006f9eb0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 00000001006f9c00 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 00000001006f9120 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 00000001006f9680 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 00000001006f9930 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 00000001006f8370 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 00000001006f7c90 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001007097c0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001007099d0 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 00000001006fa960 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 00000001006fa400 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 00000001006f8580 .text C:\Program Files (x86)\Nokia Modem\NokiaInternetModem_AppStart.exe[3096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 00000001006f8f00 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3572] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Windows\AsScrPro.exe[416] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Windows\AsScrPro.exe[416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000076c54018 7 bytes JMP 0000000106c7c68b .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetScrollInfo 0000000076c540cf 7 bytes JMP 0000000106c7c703 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!ShowScrollBar 0000000076c54162 5 bytes JMP 0000000106c7c787 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000076c54234 5 bytes JMP 0000000106c7c6b3 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetScrollPos 0000000076c587a5 5 bytes JMP 0000000106c7c72e .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!EnableScrollBar 0000000076c58d3a 7 bytes JMP 0000000106c7c663 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!GetScrollRange 0000000076c590c4 5 bytes JMP 0000000106c7c6d8 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SetScrollRange 0000000076c6d50b 5 bytes JMP 0000000106c7c759 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Winamp\winamp.exe[1388] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\System32\svchost.exe[4148] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[4208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[4248] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4296] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files\iPod\bin\iPodService.exe[4636] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[4776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5088] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[4144] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[5144] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\wbem\wmiprvse.exe[5484] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007763a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077651b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000776c8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[5760] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5900] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[6104] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077773ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077777a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077910470 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777a1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077910460 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077910370 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077910480 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777a1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077910390 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777a1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777a1760 5 bytes JMP 0000000077910440 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000777a1842 3 bytes {JMP 0xfffffffff884f190} .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777a1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077910230 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x16e890} .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777a1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777a1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077910350 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777a1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077910330 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x16e590} .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077910410 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077910240 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777a2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077910250 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x16e090} .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779104b0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077910300 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077910360 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077910380 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077910340 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077910450 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077910260 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077910270 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077910400 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077910210 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077910420 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077910430 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077910280 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefecca1a0 7 bytes JMP 000007fffd500180 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd765290 7 bytes JMP 000007fffd500148 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4a22cc 5 bytes JMP 000007fffd500260 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4a24c0 5 bytes JMP 000007fffd500298 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff4a5be0 5 bytes JMP 000007fffd5002d0 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff4a8398 9 bytes JMP 000007fffd5001f0 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4a89c8 9 bytes JMP 000007fffd5001b8 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!GetPixel 000007feff4a9344 5 bytes JMP 000007fffd500228 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff4ab9e8 5 bytes JMP 000007fffd500340 .text C:\Windows\system32\DllHost.exe[6680] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff4b5410 5 bytes JMP 000007fffd500308 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 00000001003cd120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 00000001003dfc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 00000001003de100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 00000001003ded90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 00000001003dc3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 00000001003de7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 00000001003e0080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [A9, 88] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 00000001003dfe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 00000001003de400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 00000001003dcde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 00000001003db670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 00000001003df8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 00000001003dbfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 00000001003dca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 00000001003df6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 00000001003df220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 00000001003df460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 00000001003dc670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 00000001003df020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 00000001003d7f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 00000001003cd240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 00000001003d5070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 00000001003d5c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 00000001003d3ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 00000001003cd270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001003d44d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 00000001003cb6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 00000001003cc470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 00000001003cb1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 00000001003cac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001003cc160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 00000001003c8140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 00000001003cbc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001003c93d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 00000001003c8980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 00000001003c7ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 00000001003c8c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 00000001003cbec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 00000001003cb980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 00000001003cb440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 00000001003cc690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 00000001003cc8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 00000001003ca160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 00000001003ca6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 00000001003caee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001003ccb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 00000001003c8780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 00000001003c9eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 00000001003c9c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 00000001003c9120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 00000001003c9680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 00000001003c9930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 00000001003c8370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 00000001003c7c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001003d97c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001003d99d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 00000001003ca960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 00000001003ca400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 00000001003c8580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 00000001003c8f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 00000001003d8d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 00000001003d9530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 00000001003d9e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 00000001003d8d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 00000001003d9280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 00000001003d8ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 00000001003d9d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 00000001003d8ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076701465 2 bytes [70, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767014bb 2 bytes [70, 76] .text ... * 2 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007794f9c0 5 bytes JMP 000000011001d120 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007794fc90 5 bytes JMP 000000011002fc20 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007794fd44 5 bytes JMP 000000011002e100 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007794fda8 5 bytes JMP 000000011002ed90 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007794fea0 5 bytes JMP 000000011002c3c0 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007794ff84 5 bytes JMP 000000011002e7a0 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007794ffe4 2 bytes JMP 0000000110030080 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007794ffe7 2 bytes [6E, 98] .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077950064 5 bytes JMP 000000011002fe40 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077950094 5 bytes JMP 000000011002e400 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077950398 5 bytes JMP 000000011002cde0 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077950530 5 bytes JMP 000000011002b670 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077950674 5 bytes JMP 000000011002f8b0 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007795086c 5 bytes JMP 000000011002bfe0 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077950884 5 bytes JMP 000000011002ca40 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077950dd4 5 bytes JMP 000000011002f6a0 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077950eb8 5 bytes JMP 000000011002f220 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077951bc4 5 bytes JMP 000000011002f460 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077951c94 5 bytes JMP 000000011002c670 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077951d6c 5 bytes JMP 000000011002f020 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007796c45a 5 bytes JMP 0000000110027f40 .text D:\gmer\gmer.exe[4736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077971217 7 bytes JMP 000000011001d240 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076da103d 5 bytes JMP 0000000110025070 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076da1072 5 bytes JMP 0000000110025c00 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076dca30a 1 byte [62] .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076dcc9b5 5 bytes JMP 0000000110023ba0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076b5f776 5 bytes JMP 000000011001d270 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076c48bff 5 bytes JMP 000000011001b6e0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076c490d3 7 bytes JMP 000000011001c470 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c49679 5 bytes JMP 000000011001b1a0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076c497d2 5 bytes JMP 000000011001ac20 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 000000011001c160 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076c4efc9 5 bytes JMP 0000000110018140 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 000000011001bc20 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001100193d0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SetParent 0000000076c52d64 5 bytes JMP 0000000110018980 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076c52da4 5 bytes JMP 0000000110017ea0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076c53698 5 bytes JMP 0000000110018c20 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 000000011001bec0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076c53c61 5 bytes JMP 000000011001b980 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c5612e 5 bytes JMP 000000011001b440 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076c56c30 7 bytes JMP 000000011001c690 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 000000011001c8b0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076c57668 5 bytes JMP 000000011001a160 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076c576e0 5 bytes JMP 000000011001a6a0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076c5781f 5 bytes JMP 000000011001aee0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 000000011001cb20 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076c5c4b6 5 bytes JMP 0000000110018780 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076c6c112 5 bytes JMP 0000000110019eb0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076c6d0f5 5 bytes JMP 0000000110019c00 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000110019120 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000110019680 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c6ff4a 5 bytes JMP 0000000110019930 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076c89f1d 5 bytes JMP 0000000110018370 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076c91497 5 bytes JMP 0000000110017c90 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ca027b 5 bytes JMP 00000001100297c0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ca02bf 5 bytes JMP 00000001100299d0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ca6cfc 5 bytes JMP 000000011001a960 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ca6d5d 5 bytes JMP 000000011001a400 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ca7dd7 5 bytes JMP 0000000110018580 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ca88eb 5 bytes JMP 0000000110018f00 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767e58b3 5 bytes JMP 0000000110028d10 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000767e5ea6 5 bytes JMP 0000000110029530 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000767e7bcc 5 bytes JMP 0000000110029e10 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000767eb895 5 bytes JMP 0000000110028d50 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000767ec332 5 bytes JMP 0000000110029280 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000767ecbfb 5 bytes JMP 0000000110028ae0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000767ee743 5 bytes JMP 0000000110029d10 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076814646 5 bytes JMP 0000000110028ff0 .text D:\gmer\gmer.exe[4736] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2538 5 bytes JMP 00000001100244d0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1532] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 8 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 16 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 134371 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1E 0x6A 0x8E 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBE 0x72 0x6B 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x33 0xE6 0x0A 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8D 0x1D 0x62 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0xD7 0xE7 0xA5 ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 3 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 8 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 16 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 134371 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1E 0x6A 0x8E 0xE8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBE 0x72 0x6B 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x33 0xE6 0x0A 0xCB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8D 0x1D 0x62 0x8B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0xD7 0xE7 0xA5 ... ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----