GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-05 18:04:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: m57g1hli.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\kxdiakoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800033b5000 63 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 624 fffff800033b5040 1 byte [01] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\wininit.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\wininit.exe[736] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\wininit.exe[736] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!RegisterRawInputDevices 0000000077026ef0 6 bytes {JMP QWORD [RIP+0x9379140]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SystemParametersInfoA 0000000077028184 6 bytes {JMP QWORD [RIP+0x9457eac]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SetParent 0000000077028530 6 bytes {JMP QWORD [RIP+0x9397b00]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!PostMessageA 000000007702a404 6 bytes {JMP QWORD [RIP+0x9135c2c]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!EnableWindow 000000007702aaa0 6 bytes {JMP QWORD [RIP+0x9495590]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!MoveWindow 000000007702aad0 6 bytes {JMP QWORD [RIP+0x93b5560]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!GetAsyncKeyState 000000007702c720 6 bytes {JMP QWORD [RIP+0x9353910]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!RegisterHotKey 000000007702cd50 6 bytes {JMP QWORD [RIP+0x94332e0]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!PostThreadMessageA 000000007702d2b0 6 bytes {JMP QWORD [RIP+0x9172d80]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendMessageA 000000007702d338 6 bytes {JMP QWORD [RIP+0x91b2cf8]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendNotifyMessageW 000000007702dc40 6 bytes {JMP QWORD [RIP+0x92923f0]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SystemParametersInfoW 000000007702f510 6 bytes {JMP QWORD [RIP+0x9470b20]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SetWindowsHookExW 000000007702f874 6 bytes {JMP QWORD [RIP+0x90f07bc]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendMessageTimeoutW 000000007702fac0 6 bytes {JMP QWORD [RIP+0x9210570]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000077030b74 6 bytes {JMP QWORD [RIP+0x918f4bc]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SetWinEventHook + 1 0000000077034d4d 5 bytes {JMP QWORD [RIP+0x910b2e4]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!GetKeyState 0000000077035010 6 bytes {JMP QWORD [RIP+0x932b020]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000077035438 6 bytes {JMP QWORD [RIP+0x924abf8]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendMessageW 0000000077036b50 6 bytes {JMP QWORD [RIP+0x91c94e0]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!PostMessageW 00000000770376e4 6 bytes {JMP QWORD [RIP+0x914894c]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendDlgItemMessageW 000000007703dd90 6 bytes {JMP QWORD [RIP+0x92c22a0]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!GetClipboardData 000000007703e874 6 bytes {JMP QWORD [RIP+0x94017bc]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SetClipboardViewer 000000007703f780 6 bytes {JMP QWORD [RIP+0x93c08b0]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000770428e4 6 bytes {JMP QWORD [RIP+0x925d74c]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!mouse_event 0000000077043894 6 bytes {JMP QWORD [RIP+0x909c79c]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077048a10 6 bytes {JMP QWORD [RIP+0x92f7620]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077048be0 6 bytes {JMP QWORD [RIP+0x91d7450]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077048c20 6 bytes {JMP QWORD [RIP+0x90b7410]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendInput 0000000077048cd0 6 bytes {JMP QWORD [RIP+0x92d7360]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!BlockInput 000000007704ad60 6 bytes {JMP QWORD [RIP+0x93d52d0]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!ExitWindowsEx 00000000770714e0 6 bytes {JMP QWORD [RIP+0x946eb50]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!keybd_event 00000000770945a4 6 bytes {JMP QWORD [RIP+0x902ba8c]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007709cc08 6 bytes {JMP QWORD [RIP+0x9243428]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007709df18 6 bytes {JMP QWORD [RIP+0x91c2118]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 43003b .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes JMP 0 .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 0 .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes JMP 0 .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\wininit.exe[736] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\services.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\services.exe[808] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\services.exe[808] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\services.exe[808] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\services.exe[808] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\services.exe[808] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes CALL 5b000038 .text C:\windows\system32\services.exe[808] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\services.exe[808] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff3b6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!RegisterRawInputDevices 0000000077026ef0 6 bytes {JMP QWORD [RIP+0x9379140]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SystemParametersInfoA 0000000077028184 6 bytes {JMP QWORD [RIP+0x9457eac]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SetParent 0000000077028530 6 bytes {JMP QWORD [RIP+0x9397b00]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!PostMessageA 000000007702a404 6 bytes {JMP QWORD [RIP+0x9135c2c]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!EnableWindow 000000007702aaa0 6 bytes {JMP QWORD [RIP+0x9495590]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!MoveWindow 000000007702aad0 6 bytes {JMP QWORD [RIP+0x93b5560]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!GetAsyncKeyState 000000007702c720 6 bytes {JMP QWORD [RIP+0x9353910]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!RegisterHotKey 000000007702cd50 6 bytes {JMP QWORD [RIP+0x94332e0]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!PostThreadMessageA 000000007702d2b0 6 bytes {JMP QWORD [RIP+0x9172d80]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendMessageA 000000007702d338 6 bytes {JMP QWORD [RIP+0x91b2cf8]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendNotifyMessageW 000000007702dc40 6 bytes {JMP QWORD [RIP+0x92923f0]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SystemParametersInfoW 000000007702f510 6 bytes {JMP QWORD [RIP+0x9470b20]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SetWindowsHookExW 000000007702f874 6 bytes {JMP QWORD [RIP+0x90f07bc]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendMessageTimeoutW 000000007702fac0 6 bytes {JMP QWORD [RIP+0x9210570]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000077030b74 6 bytes {JMP QWORD [RIP+0x918f4bc]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SetWinEventHook + 1 0000000077034d4d 5 bytes {JMP QWORD [RIP+0x910b2e4]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!GetKeyState 0000000077035010 6 bytes {JMP QWORD [RIP+0x932b020]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000077035438 6 bytes {JMP QWORD [RIP+0x924abf8]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendMessageW 0000000077036b50 6 bytes {JMP QWORD [RIP+0x91c94e0]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!PostMessageW 00000000770376e4 6 bytes {JMP QWORD [RIP+0x914894c]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendDlgItemMessageW 000000007703dd90 6 bytes {JMP QWORD [RIP+0x92c22a0]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!GetClipboardData 000000007703e874 6 bytes {JMP QWORD [RIP+0x94017bc]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SetClipboardViewer 000000007703f780 6 bytes {JMP QWORD [RIP+0x93c08b0]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000770428e4 6 bytes {JMP QWORD [RIP+0x925d74c]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!mouse_event 0000000077043894 6 bytes {JMP QWORD [RIP+0x909c79c]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077048a10 6 bytes {JMP QWORD [RIP+0x92f7620]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077048be0 6 bytes {JMP QWORD [RIP+0x91d7450]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077048c20 6 bytes {JMP QWORD [RIP+0x90b7410]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendInput 0000000077048cd0 6 bytes {JMP QWORD [RIP+0x92d7360]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!BlockInput 000000007704ad60 6 bytes {JMP QWORD [RIP+0x93d52d0]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!ExitWindowsEx 00000000770714e0 6 bytes {JMP QWORD [RIP+0x946eb50]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!keybd_event 00000000770945a4 6 bytes {JMP QWORD [RIP+0x902ba8c]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007709cc08 6 bytes {JMP QWORD [RIP+0x9243428]} .text C:\windows\system32\services.exe[808] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007709df18 6 bytes {JMP QWORD [RIP+0x91c2118]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\services.exe[808] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\services.exe[808] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\services.exe[808] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes JMP 0 .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\lsass.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\lsass.exe[824] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 44f043e .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\lsass.exe[824] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\lsm.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\lsm.exe[832] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\lsm.exe[832] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[832] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\winlogon.exe[888] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[988] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes CALL 5b000038 .text C:\windows\system32\svchost.exe[988] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[988] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff3b6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[988] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe[368] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717b000a .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 10002 .text C:\windows\system32\nvvsvc.exe[384] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\svchost.exe[528] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes CALL 5b000038 .text C:\windows\system32\svchost.exe[528] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[528] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff3b6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\svchost.exe[528] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\svchost.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[928] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[928] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 701b .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\svchost.exe[928] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes JMP 8eb5af1 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes JMP 928cfe8 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes JMP 65c0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes JMP 10582b7 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes JMP 940d740 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes JMP 1014a32 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes JMP 917d1e8 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes JMP 9295dd1 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes JMP 96ec0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes JMP 4ac0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes JMP 102c0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes JMP 123ec0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes JMP 94324e8 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes JMP 9455870 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes JMP 105254d .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes JMP 93f8411 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes JMP 7bce1b0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes JMP 9122f80 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes JMP 92d5520 .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes JMP 9650ab0 .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes JMP 1a80 .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes JMP 8eb5201 .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 940000 .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\System32\svchost.exe[1072] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 320034 .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\svchost.exe[1112] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes CALL 5b000038 .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff3b6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\svchost.exe[1140] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes CALL 5b000038 .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\System32\svchost.exe[1184] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes CALL 5b000038 .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[1236] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP aab .text C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe[1332] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1384] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 26] .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\nvvsvc.exe[1396] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 37] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0xa7668]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xe6cec]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 2bc5 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1432] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x15ac20]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes {JMP QWORD [RIP+0x8ddc550]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes CALL 5b000038 .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\WLANExt.exe[1660] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\conhost.exe[1700] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes JMP c4b8b8b8 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes JMP ffdbe3df .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes JMP ff0b140e .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes JMP ffa0c948 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes JMP ff011901 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes JMP ff241810 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes JMP ffffffff .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes JMP fff0f0f0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes JMP ffa5a5a5 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes JMP ff194b1a .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes JMP ff333333 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes JMP ff102304 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes JMP ff405f3e .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes JMP fffafcfe .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes JMP fffafcfe .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes JMP fff4e6e8 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes JMP ff23601f .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes JMP ffdfdfb9 .text C:\windows\system32\Dwm.exe[1844] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes JMP ff333333 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[1844] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 6 bytes JMP 119fffe .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes JMP ff28ffd1 .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 6 bytes {JMP QWORD [RIP+0x930ea60]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x93ee9f0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93ae9b0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x940e910]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x938e880]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x928e840]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ae7f0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x93ce7d0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x948e5e0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x926e4d0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x932e400]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x942e2b0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x946e2a0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x934df30]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x944dea0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x936d630]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x92cd5b0]} .text C:\windows\Explorer.EXE[1872] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x92ed530]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f75c10]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f1e4e0]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\Explorer.EXE[1872] C:\windows\system32\kernel32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ec7820]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\windows\Explorer.EXE[1872] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 26] .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 720065 .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1872] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!RegisterRawInputDevices 0000000077026ef0 6 bytes {JMP QWORD [RIP+0x9379140]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SystemParametersInfoA 0000000077028184 6 bytes {JMP QWORD [RIP+0x9457eac]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SetParent 0000000077028530 6 bytes {JMP QWORD [RIP+0x9397b00]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!PostMessageA 000000007702a404 6 bytes {JMP QWORD [RIP+0x9135c2c]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!EnableWindow 000000007702aaa0 6 bytes {JMP QWORD [RIP+0x9495590]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!MoveWindow 000000007702aad0 6 bytes {JMP QWORD [RIP+0x93b5560]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!GetAsyncKeyState 000000007702c720 6 bytes {JMP QWORD [RIP+0x9353910]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!RegisterHotKey 000000007702cd50 6 bytes {JMP QWORD [RIP+0x94332e0]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!PostThreadMessageA 000000007702d2b0 6 bytes {JMP QWORD [RIP+0x9172d80]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendMessageA 000000007702d338 6 bytes {JMP QWORD [RIP+0x91b2cf8]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendNotifyMessageW 000000007702dc40 6 bytes {JMP QWORD [RIP+0x92923f0]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SystemParametersInfoW 000000007702f510 6 bytes {JMP QWORD [RIP+0x9470b20]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SetWindowsHookExW 000000007702f874 6 bytes {JMP QWORD [RIP+0x90f07bc]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendMessageTimeoutW 000000007702fac0 6 bytes {JMP QWORD [RIP+0x9210570]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000077030b74 6 bytes {JMP QWORD [RIP+0x918f4bc]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SetWinEventHook + 1 0000000077034d4d 5 bytes {JMP QWORD [RIP+0x910b2e4]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!GetKeyState 0000000077035010 6 bytes {JMP QWORD [RIP+0x932b020]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000077035438 6 bytes {JMP QWORD [RIP+0x924abf8]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendMessageW 0000000077036b50 6 bytes {JMP QWORD [RIP+0x91c94e0]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!PostMessageW 00000000770376e4 6 bytes {JMP QWORD [RIP+0x914894c]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendDlgItemMessageW 000000007703dd90 6 bytes {JMP QWORD [RIP+0x92c22a0]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!GetClipboardData 000000007703e874 6 bytes {JMP QWORD [RIP+0x94017bc]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SetClipboardViewer 000000007703f780 6 bytes {JMP QWORD [RIP+0x93c08b0]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000770428e4 6 bytes {JMP QWORD [RIP+0x925d74c]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!mouse_event 0000000077043894 6 bytes {JMP QWORD [RIP+0x909c79c]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077048a10 6 bytes {JMP QWORD [RIP+0x92f7620]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077048be0 6 bytes {JMP QWORD [RIP+0x91d7450]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077048c20 6 bytes {JMP QWORD [RIP+0x90b7410]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendInput 0000000077048cd0 6 bytes {JMP QWORD [RIP+0x92d7360]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!BlockInput 000000007704ad60 6 bytes {JMP QWORD [RIP+0x93d52d0]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!ExitWindowsEx 00000000770714e0 6 bytes {JMP QWORD [RIP+0x946eb50]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!keybd_event 00000000770945a4 6 bytes {JMP QWORD [RIP+0x902ba8c]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007709cc08 6 bytes {JMP QWORD [RIP+0x9243428]} .text C:\windows\Explorer.EXE[1872] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007709df18 6 bytes {JMP QWORD [RIP+0x91c2118]} .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 3 bytes JMP 7100000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fc94 2 bytes JMP 7100000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70eb000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70eb000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70f1000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70f1000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70e8000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70e8000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70f4000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70f4000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 710c000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 710c000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7109000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440068 2 bytes JMP 7109000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70ee000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70ee000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70dc000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70dc000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 710f000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 710f000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70fd000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70fd000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70e5000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70e5000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70df000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70df000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70fa000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70fa000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70e2000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70e2000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70f7000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70f7000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 7106000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 7106000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 7103000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 7103000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 6 bytes JMP 71a8000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719c000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7199000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 7190000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719f000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 715d000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7118000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7157000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 7151000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 6 bytes JMP 7169000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 711e000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 711e000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 7163000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7136000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 712d000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 712d000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 7115000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 712a000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 712a000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7166000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 7160000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 715a000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 711b000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 6 bytes JMP 716c000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7145000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 714b000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7154000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 6 bytes JMP 716f000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7127000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7127000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 7142000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713f000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 7133000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7139000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7139000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 713c000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 713c000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7121000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 7112000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7172000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7175000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714e000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7148000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 7124000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 7124000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 7130000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 7130000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7184000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7181000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718d000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7178000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717e000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7187000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 718a000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717b000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7196000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7193000a .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\ProgramData\eSafe\eGdpSvc.exe[1992] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010028075c .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001002803a4 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 0000000100280b14 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100280ecc .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010028163c .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100281284 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001002819f4 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP fefefefe .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Windows\System32\hkcmd.exe[2136] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010046075c .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001004603a4 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d9ec30]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 0000000100460b14 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100460ecc .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010046163c .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x944e9f0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x940e9b0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x946e910]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93ee880]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92de840]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100461284 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92fe7f0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x942e7d0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94ee5e0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92be4d0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x938e400]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x948e2b0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94ce2a0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x93adf30]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x94adea0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001004619f4 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93cd630]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x931d5b0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x933d530]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f95c10]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f3e4e0]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ee7820]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP fefefefe .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\igfxpers.exe[2152] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010033075c .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001003303a4 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 0000000100330b14 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100330ecc .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010033163c .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100331284 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001003319f4 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\Elantech\ETDCtrl.exe[2160] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001001a075c .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001001a03a4 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001001a0b14 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001001a0ecc .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001001a163c .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001001a1284 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001001a19f4 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2168] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001002e075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001002e0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001002e163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001002e1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001002e19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 1 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0xa7668]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xe6cec]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 10002 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x15ac20]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2192] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100150600 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001002f075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001002f03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001002f0b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001002f0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001002f163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001002f1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001002f19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70af000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70af000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70ac000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70ac000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70b8000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70b8000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 70ce000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440068 2 bytes JMP 70ce000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70b2000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70b2000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70a0000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70a0000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 70d4000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 70d4000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70c1000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70c1000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70a9000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70a9000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70a3000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70a3000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70be000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70be000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70a6000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70a6000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70cb000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70cb000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70c8000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70c8000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 70dd000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 70e3000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 70e3000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 70da000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 70e0000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 70d7000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fc94 2 bytes [F8, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e4000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e4000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 00000000cbd1c721 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes [D6, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes [EC, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes [04, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7102000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440068 2 bytes JMP 7102000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes [CA, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7108000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7108000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes [F5, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes [D3, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes [CD, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes [F2, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes [D0, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes [EF, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes [FE, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes [FB, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075d9103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075d91072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2704] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010037075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001003703a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 0000000100370b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100370ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010037163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100371284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001003719f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010012075c .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001001203a4 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 0000000100120b14 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100120ecc .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010012163c .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100121284 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001001219f4 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\System32\spoolsv.exe[376] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[376] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010037075c .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001003703a4 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 0000000100370b14 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100370ecc .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010037163c .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100371284 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001003719f4 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\svchost.exe[1460] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff3b6bd0 6 bytes JMP 228fed0 .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\svchost.exe[1460] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001003b075c .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001003b03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001003b0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001003b0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001003b163c .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001003b1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001003b19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 0A] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 265270 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440068 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70de000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70de000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70db000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70db000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 717d000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 717a000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7171000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 7177000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 7174000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7153000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7109000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 714d000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 7147000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 710f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 710f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 7159000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 712c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7123000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7123000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 711c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 711c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 715c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 7156000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7150000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 710c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 713b000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7141000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 714a000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7119000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7119000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 7138000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 7135000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 7129000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 712f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 712f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7132000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7132000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7112000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 716b000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 716e000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 7144000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 713e000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 7126000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 7126000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001001f075c .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001001f03a4 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001001f0b14 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001001f0ecc .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001001f163c .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001001f1284 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001001f19f4 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\svchost.exe[2996] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[2996] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 00000000cbd1c95d .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440068 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 70f6000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001000d01f8 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 70f3000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001000d03fc .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 00000001000d0804 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 00000001000d0600 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 00000001000d0a08 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 70f0000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 00000001000e1014 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 00000001000e0c0c .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 00000001000e0e10 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001000e01f8 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 00000001000e0600 .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[3124] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100161014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100160c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100160e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[3268] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70d8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70d8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70d5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70d5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70c9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70c9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70d2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70d2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70cc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70cc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70cf000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70cf000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100091014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3392] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001002b075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001002b03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001002b0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001002b0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001002b163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001002b1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001002b19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 3 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP 0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3960] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001001d075c .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001001d03a4 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001001d0b14 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001001d0ecc .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001001d163c .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes JMP 945bcc0 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes JMP 5c0073 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001001d1284 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes JMP 94de768 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes JMP 0 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes JMP 901210d .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes JMP 94be38c .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes JMP 4 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001001d19f4 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\SearchIndexer.exe[3308] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\svchost.exe[4320] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 4d68636d .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[4320] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\svchost.exe[4364] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[4364] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010037075c .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001003703a4 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100370ecc .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010037163c .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100371284 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001003719f4 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 7099000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 7099000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 709f000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 709f000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 7096000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 7096000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70a2000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70a2000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440068 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 709c000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 709c000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 708a000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 708a000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 7093000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 7093000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 708d000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 708d000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70a8000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70a8000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 7090000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 7090000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70a5000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70a5000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7153000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 70d6000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 714d000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 7147000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 7159000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 712c000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7123000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7123000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 70d3000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 711c000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 711c000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 715c000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 7156000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7150000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 70d9000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 713b000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7141000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 714a000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7119000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7119000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 7138000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 7135000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 7129000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 712f000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 712f000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7132000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7132000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 70df000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 70d0000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 716b000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 716e000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 7144000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 713e000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 7126000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 7126000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 717d000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 717a000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7171000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 7177000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 7174000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe[4764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\DllHost.exe[1276] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[284] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4664] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001002a075c .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001002a03a4 .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001002a0b14 .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001002a0ecc .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001002a163c .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001002a1284 .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001002a19f4 .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\svchost.exe[2988] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc7a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\windows\system32\svchost.exe[2988] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc9fa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001001c075c .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001001c03a4 .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001001c0b14 .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001001c0ecc .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001001c163c .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001001c1284 .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001001c19f4 .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\svchost.exe[5020] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 8f66 .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\svchost.exe[5020] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 00000001002c1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 00000001002c0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 00000001002c0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 00000001002c0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 00000001002c0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001002c01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001002c03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 00000001002c0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001002d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001002d03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 00000001002d0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 00000001002d0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 00000001002d0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1796] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 00000001001a075c .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001001a03a4 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 00000001001a0b14 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 00000001001a0ecc .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 00000001001a163c .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 00000001001a1284 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001001a19f4 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes [FF, 25, A0, AD, 0A] .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\system32\SearchProtocolHost.exe[2864] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263ae0 5 bytes JMP 000000010041075c .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077267a90 5 bytes JMP 00000001004103a4 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077291400 6 bytes {JMP QWORD [RIP+0x8d8ec30]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291490 5 bytes JMP 0000000100410b14 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772914f0 5 bytes JMP 0000000100410ecc .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772915d0 5 bytes JMP 000000010041163c .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077291640 6 bytes {JMP QWORD [RIP+0x943e9f0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291680 6 bytes {JMP QWORD [RIP+0x93fe9b0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077291720 6 bytes {JMP QWORD [RIP+0x945e910]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772917b0 6 bytes {JMP QWORD [RIP+0x93de880]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772917f0 6 bytes {JMP QWORD [RIP+0x92ce840]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077291810 5 bytes JMP 0000000100411284 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077291840 6 bytes {JMP QWORD [RIP+0x92ee7f0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291860 6 bytes {JMP QWORD [RIP+0x941e7d0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077291a50 6 bytes {JMP QWORD [RIP+0x94de5e0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b60 6 bytes {JMP QWORD [RIP+0x92ae4d0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291c30 6 bytes {JMP QWORD [RIP+0x937e400]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d80 6 bytes {JMP QWORD [RIP+0x947e2b0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d90 6 bytes {JMP QWORD [RIP+0x94be2a0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077292100 6 bytes {JMP QWORD [RIP+0x939df30]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292190 6 bytes {JMP QWORD [RIP+0x949dea0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077292840 5 bytes JMP 00000001004119f4 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077292a00 6 bytes {JMP QWORD [RIP+0x93bd630]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a80 6 bytes {JMP QWORD [RIP+0x930d5b0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292b00 6 bytes {JMP QWORD [RIP+0x932d530]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007712a420 6 bytes {JMP QWORD [RIP+0x8f85c10]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000077141b50 6 bytes {JMP QWORD [RIP+0x8f2e4e0]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007717eecd 1 byte [62] .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\KERNEL32.dll!CreateProcessA 00000000771b8810 6 bytes {JMP QWORD [RIP+0x8ed7820]} .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369aa5 3 bytes [65, 65, 06] .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd375290 5 bytes JMP 0 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!DeleteDC 000007fefd6722cc 6 bytes JMP 0 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!BitBlt 000007fefd6724c0 6 bytes JMP 16f3dd56 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!MaskBlt 000007fefd675be0 6 bytes JMP 9d30302b .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!CreateDCW 000007fefd678398 6 bytes JMP 0 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!CreateDCA 000007fefd6789c8 6 bytes JMP 0 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!GetPixel 000007fefd679344 6 bytes JMP 0 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!StretchBlt 000007fefd67b9e8 6 bytes JMP df0005da .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\system32\GDI32.dll!PlgBlt 000007fefd685410 6 bytes JMP fae9e2a0 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd5b6e00 5 bytes JMP 000007ff7d5d1dac .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd5b6f2c 5 bytes JMP 000007ff7d5d0ecc .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd5b7220 5 bytes JMP 000007ff7d5d1284 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd5b739c 5 bytes JMP 000007ff7d5d163c .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd5b7538 5 bytes JMP 000007ff7d5d19f4 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd5b75e8 5 bytes JMP 000007ff7d5d03a4 .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd5b790c 5 bytes JMP 000007ff7d5d075c .text D:\programy\WinRAR\WinRAR.exe[6016] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd5b7ab4 5 bytes JMP 000007ff7d5d0b14 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007743f9c0 3 bytes JMP 71af000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9c4 2 bytes JMP 71af000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007743faa0 5 bytes JMP 0000000100030600 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007743fb38 5 bytes JMP 0000000100030804 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd44 3 bytes JMP 70e2000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd48 2 bytes JMP 70e2000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fda8 3 bytes JMP 70e8000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdac 2 bytes JMP 70e8000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fea0 3 bytes JMP 70df000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fea4 2 bytes JMP 70df000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ff84 3 bytes JMP 70eb000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ff88 2 bytes JMP 70eb000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 000000007743ffe4 3 bytes JMP 7104000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007743ffe8 2 bytes JMP 7104000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077440018 5 bytes JMP 0000000100030a08 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440064 3 bytes JMP 7101000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 5 0000000077440069 1 byte [71] .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077440094 3 bytes JMP 70e5000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077440098 2 bytes JMP 70e5000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077440398 3 bytes JMP 70d3000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007744039c 2 bytes JMP 70d3000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440530 3 bytes JMP 7107000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440534 2 bytes JMP 7107000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440674 3 bytes JMP 70f4000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440678 2 bytes JMP 70f4000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744086c 3 bytes JMP 70dc000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440870 2 bytes JMP 70dc000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077440884 3 bytes JMP 70d6000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077440888 2 bytes JMP 70d6000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440dd4 3 bytes JMP 70f1000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440dd8 2 bytes JMP 70f1000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440eb8 3 bytes JMP 70d9000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440ebc 2 bytes JMP 70d9000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077441900 5 bytes JMP 0000000100030e10 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441bc4 3 bytes JMP 70ee000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441bc8 2 bytes JMP 70ee000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441c94 3 bytes JMP 70fe000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441c98 2 bytes JMP 70fe000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d6c 3 bytes JMP 70fb000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d70 2 bytes JMP 70fb000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007745c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461217 5 bytes JMP 00000001000303fc .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075d9103d 6 bytes JMP 719b000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075d91072 6 bytes JMP 7198000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075dba30a 1 byte [62] .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075dbc9b5 6 bytes JMP 718f000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007639f776 6 bytes JMP 719e000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000763a2c91 4 bytes CALL 71ac0000 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000766b8bff 6 bytes JMP 7159000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000766b90d3 6 bytes JMP 7110000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendMessageW 00000000766b9679 6 bytes JMP 7153000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000766b97d2 6 bytes JMP 714d000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee09 5 bytes JMP 00000001002401f8 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000766befc9 3 bytes JMP 7116000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000766befcd 2 bytes JMP 7116000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!PostMessageW 00000000766c12a5 6 bytes JMP 715f000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!GetKeyState 00000000766c291f 6 bytes JMP 7132000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SetParent 00000000766c2d64 3 bytes JMP 7129000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000766c2d68 2 bytes JMP 7129000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!EnableWindow 00000000766c2da4 6 bytes JMP 710d000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!MoveWindow 00000000766c3698 3 bytes JMP 7126000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000766c369c 2 bytes JMP 7126000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!UnhookWinEvent 00000000766c3982 5 bytes JMP 00000001002403fc .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!PostMessageA 00000000766c3baa 6 bytes JMP 7162000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000766c3c61 6 bytes JMP 715c000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendMessageA 00000000766c612e 6 bytes JMP 7156000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000766c6c30 6 bytes JMP 7113000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7603 5 bytes JMP 0000000100240804 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7668 6 bytes JMP 7141000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766c76e0 6 bytes JMP 7147000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000766c781f 6 bytes JMP 7150000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c835c 5 bytes JMP 0000000100240600 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000766cc4b6 3 bytes JMP 7123000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000766cc4ba 2 bytes JMP 7123000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000766dc112 6 bytes JMP 713e000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000766dd0f5 6 bytes JMP 713b000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000766deb96 6 bytes JMP 712f000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000766dec68 3 bytes JMP 7135000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000766dec6c 2 bytes JMP 7135000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df52b 5 bytes JMP 0000000100240a08 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendInput 00000000766dff4a 3 bytes JMP 7138000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000766dff4e 2 bytes JMP 7138000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000766f9f1d 6 bytes JMP 7119000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076701497 6 bytes JMP 710a000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!mouse_event 000000007671027b 6 bytes JMP 7171000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!keybd_event 00000000767102bf 6 bytes JMP 7174000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076716cfc 6 bytes JMP 714a000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716d5d 6 bytes JMP 7144000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!BlockInput 0000000076717dd7 3 bytes JMP 711c000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076717ddb 2 bytes JMP 711c000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767188eb 3 bytes JMP 712c000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767188ef 2 bytes JMP 712c000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075b558b3 6 bytes JMP 7183000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075b55ea6 6 bytes JMP 7180000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075b57bcc 6 bytes JMP 718c000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075b5b895 6 bytes JMP 7177000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075b5c332 6 bytes JMP 717d000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075b5cbfb 6 bytes JMP 7186000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075b5e743 6 bytes JMP 7189000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075b84646 6 bytes JMP 717a000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075d22538 6 bytes JMP 7195000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075d252e9 6 bytes JMP 7192000a .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075b25181 5 bytes JMP 0000000100251014 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075b25254 5 bytes JMP 0000000100250804 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075b253d5 5 bytes JMP 0000000100250a08 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075b254c2 5 bytes JMP 0000000100250c0c .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075b255e2 5 bytes JMP 0000000100250e10 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075b2567c 5 bytes JMP 00000001002501f8 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075b2589f 5 bytes JMP 00000001002503fc .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075b25a22 5 bytes JMP 0000000100250600 .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Users\Marcin\Desktop\gmer\m57g1hli.exe[5100] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\Windows\System32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\System32\hkcmd.exe[2136] @ C:\Windows\System32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\Windows\System32\dwmapi.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\System32\igfxpers.exe[2152] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2160] @ C:\windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2176] @ C:\windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[2364] @ C:\windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\OLEACC.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2972] @ C:\windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\System32\spoolsv.exe[376] @ C:\windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\pcwum.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[1460] @ C:\windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2488] @ C:\windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\pcwum.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\svchost.exe[2996] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] @ C:\windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3844] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchIndexer.exe[3308] @ C:\windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[4320] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[4364] @ C:\windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5072] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1400729f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [140071a70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [140071ba0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [140072100] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [140070e00] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [140070d40] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [140070eb0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [140070f70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [140071010] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [140072440] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [1400724d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [140072390] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [140070cc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!RegisterClassW] [140071ba0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRect] [140072260] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [140070cc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [140070f70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [140072440] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [140072100] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [140070e00] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [140070d40] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [140071010] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [140071ba0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SHELL32.dll[USER32.dll!FillRect] [140072390] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [140071010] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[USER32.dll!RegisterClassW] [140071ba0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [140071ba0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!GetModuleHandleA] [1400729f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!RegisterClassA] [140071a70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\version.DLL[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\version.DLL[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[KERNEL32.dll!GetModuleHandleA] [1400729f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\urlmon.dll[USER32.dll!RegisterClassA] [140071a70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\IMM32.dll[USER32.dll!DrawEdge] [140072440] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!GetModuleHandleA] [1400729f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\SETUPAPI.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!GetSysColor] [140070bf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!DrawEdge] [140072440] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!GetSysColorBrush] [140070cc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!DefFrameProcW] [1400714e0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!DrawMenuBar] [140072570] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!RegisterClassW] [140071ba0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!SystemParametersInfoW] [140071f20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!AdjustWindowRectEx] [140072100] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!CallWindowProcW] [140071010] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!GetSystemMetrics] [140071cd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[USER32.dll!FillRect] [140072390] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\UxTheme.dll[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\imagehlp.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [140071ba0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[GDI32.dll!DeleteObject] [140070c60] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[KERNEL32.dll!LoadLibraryW] [140072820] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[KERNEL32.dll!LoadLibraryA] [1400727d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[KERNEL32.dll!GetModuleHandleA] [1400729f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!LoadLibraryExW] [1400728f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ntmarta.dll[KERNEL32.dll!CreateThread] [140071990] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [140072b10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4540] @ C:\windows\system32\ntmarta.dll[KERNEL32.dll!LoadLibraryExA] [140072870] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\DllHost.exe[1276] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[2988] @ C:\windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\svchost.exe[5020] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\MSSHooks.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\windows\system32\SearchProtocolHost.exe[2864] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL[USER32.dll!SetWindowsHookExW] [80120000] IAT D:\programy\WinRAR\WinRAR.exe[6016] @ C:\windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80180000] ---- Processes - GMER 2.1 ---- Library C:\Users\Marcin\Desktop\OTL.exe (*** suspicious ***) @ C:\Users\Marcin\Desktop\OTL.exe [5488] 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 58 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1643978 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e0ca9440aa46 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e0ca9440aa46@6c8336e14ef5 0x43 0xA7 0x49 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df1ff48d Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 10992 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 58 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1643978 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e0ca9440aa46 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e0ca9440aa46@6c8336e14ef5 0x43 0xA7 0x49 0xB0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df1ff48d (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00D39.log 1048576 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00D3A.log 1048576 bytes ---- EOF - GMER 2.1 ----