GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-27 14:30:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 M4-CT256 rev.000F 238.47GB Running: pm770lnu.exe; Driver: C:\Users\robert\AppData\Local\Temp\kgtdapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\services.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\services.exe[156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Windows\system32\services.exe[156] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdcf4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd4750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077726ef0 6 bytes {JMP QWORD [RIP+0x8cb9140]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077728184 6 bytes {JMP QWORD [RIP+0x8d97eac]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SetParent 0000000077728530 6 bytes {JMP QWORD [RIP+0x8cd7b00]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077729bcc 6 bytes {JMP QWORD [RIP+0x8a36464]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!PostMessageA 000000007772a404 6 bytes {JMP QWORD [RIP+0x8a75c2c]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!EnableWindow 000000007772aaa0 6 bytes {JMP QWORD [RIP+0x8dd5590]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!MoveWindow 000000007772aad0 6 bytes {JMP QWORD [RIP+0x8cf5560]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007772c720 6 bytes {JMP QWORD [RIP+0x8c93910]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007772cd50 6 bytes {JMP QWORD [RIP+0x8d732e0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007772d2b0 6 bytes {JMP QWORD [RIP+0x8ab2d80]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendMessageA 000000007772d338 6 bytes {JMP QWORD [RIP+0x8af2cf8]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007772dc40 6 bytes {JMP QWORD [RIP+0x8bd23f0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007772f510 6 bytes {JMP QWORD [RIP+0x8db0b20]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007772f874 6 bytes {JMP QWORD [RIP+0x89f07bc]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007772fac0 6 bytes {JMP QWORD [RIP+0x8b50570]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077730b74 6 bytes {JMP QWORD [RIP+0x8acf4bc]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777333b0 6 bytes {JMP QWORD [RIP+0x8a4cc80]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077734d4d 5 bytes {JMP QWORD [RIP+0x8a0b2e4]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!GetKeyState 0000000077735010 6 bytes {JMP QWORD [RIP+0x8c6b020]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077735438 6 bytes {JMP QWORD [RIP+0x8b8abf8]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendMessageW 0000000077736b50 6 bytes {JMP QWORD [RIP+0x8b094e0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!PostMessageW 00000000777376e4 6 bytes {JMP QWORD [RIP+0x8a8894c]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007773dd90 6 bytes {JMP QWORD [RIP+0x8c022a0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!GetClipboardData 000000007773e874 6 bytes {JMP QWORD [RIP+0x8d417bc]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007773f780 6 bytes {JMP QWORD [RIP+0x8d008b0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777428e4 6 bytes {JMP QWORD [RIP+0x8b9d74c]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!mouse_event 0000000077743894 6 bytes {JMP QWORD [RIP+0x899c79c]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077748a10 6 bytes {JMP QWORD [RIP+0x8c37620]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077748be0 6 bytes {JMP QWORD [RIP+0x8b17450]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077748c20 6 bytes {JMP QWORD [RIP+0x89b7410]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendInput 0000000077748cd0 6 bytes {JMP QWORD [RIP+0x8c17360]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!BlockInput 000000007774ad60 6 bytes {JMP QWORD [RIP+0x8d152d0]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777714e0 6 bytes {JMP QWORD [RIP+0x8daeb50]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!keybd_event 00000000777945a4 6 bytes {JMP QWORD [RIP+0x892ba8c]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007779cc08 6 bytes {JMP QWORD [RIP+0x8b83428]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007779df18 6 bytes {JMP QWORD [RIP+0x8b02118]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 8 .text C:\Windows\system32\services.exe[156] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\services.exe[156] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[156] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes JMP 1cf2e0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 1 .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\lsm.exe[1028] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e150a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdcf4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[1180] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000010f50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\nvvsvc.exe[1240] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdcf4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010f50a0 6 bytes JMP 0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077871430 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000012050a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Windows\System32\svchost.exe[1512] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000011a50a0 6 bytes {JMP QWORD [RIP+0xdaf90]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes JMP 1dcba01 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes JMP aeb501 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes JMP 78f6001 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes JMP 12aa80 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes JMP 132a80 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes JMP 24a80 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes JMP 880445 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes JMP 8eee658 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes JMP 8e41d20 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes JMP 1340425 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes JMP 8ec9e18 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes JMP 9063979 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes JMP d04a7 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes JMP 1904ab .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\System32\SspiCli.dll!EncryptMessage 00000000014650a0 6 bytes {JMP QWORD [RIP+0x3caf90]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012250a0 6 bytes {JMP QWORD [RIP+0x5af90]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdcf4750 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 2000176 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP fd7afbc0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Windows\system32\svchost.exe[1636] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000011a50a0 6 bytes {JMP QWORD [RIP+0x26af90]} .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes CALL d0000000 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1720] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP 20 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011450a0 6 bytes {JMP QWORD [RIP+0x11af90]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1856] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000f550a0 6 bytes {JMP QWORD [RIP+0x19af90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes JMP 6f .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011a50a0 6 bytes {JMP QWORD [RIP+0xbdaf90]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP fffff960 .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\nvvsvc.exe[1952] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011e50a0 6 bytes {JMP QWORD [RIP+0x8daf90]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\spoolsv.exe[2108] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000024f50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdcf4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011950a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2392] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 49000000 .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP aab .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorDbEngine.exe[2504] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 49000000 .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP aab .text C:\Program Files\Avid\Editor Transcode\TranscodeService\rnc-central\AvidEditorTranscodeStatus.exe[2716] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[2760] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000016950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\ASUS\Bluetooth Software\btwdins.exe[2872] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd4750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe[1504] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012350a0 6 bytes {JMP QWORD [RIP+0x19af90]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 10002 .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes JMP 0 .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files\GenArts\Monsters-AE64\bin\FlowFinder3MonstersAE64.exe[2740] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024d50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\GenArts\Monsters-AE64\bin\JawsServerAE64.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe[3336] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe[3488] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Windows\System32\svchost.exe[3612] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[3676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70d7000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70d7000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 709e000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 709e000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70a4000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70a4000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 709b000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 709b000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70a7000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70a7000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 70e3000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 70e3000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70e0000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70e0000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70a1000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70a1000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 708f000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 708f000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 70e6000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 70e6000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70b0000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70b0000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 7098000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 7098000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 7092000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 7092000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70ad000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70ad000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 7095000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 7095000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70aa000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70aa000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70dd000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70dd000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70da000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70da000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 70ef000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 70f5000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 70f5000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 711d000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7114000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7114000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 70ec000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7111000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7111000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 70f2000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 710e000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 710e000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 711a000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7120000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7120000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7123000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7123000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 70f8000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 70e9000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 710b000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 710b000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7117000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7117000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Windows\SysWOW64\NLSSRV32.EXE[3752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files (x86)\NoMachine\bin\nxdeviced64.exe[3872] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd4750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f2000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f2000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70dd000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70dd000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e3000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e3000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70da000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70da000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e6000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e6000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 70fe000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 70fe000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fb000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fb000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e0000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e0000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70ce000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70ce000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7101000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 0000000077a20555 1 byte [71] .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70ef000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70ef000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70d7000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70d7000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d4000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d4000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e9000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e9000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70f8000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70f8000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f5000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f5000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719a000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7197000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719d000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715d000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714b000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 7107000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711e000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7160000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7166000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 7139000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7104000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7170000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717c000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7173000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7179000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7176000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7194000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7191000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717f000a .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\NoMachine\bin\nxdisplay.exe[3964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\NoMachine\bin\nxfsd.exe[4092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes JMP 73006f .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes JMP 29e .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\conhost.exe[3480] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 10002 .text C:\Program Files (x86)\NoMachine\bin\nxusbd64.exe[4128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f6000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f6000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e1000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e1000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e7000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e7000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70de000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70de000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 00000000cc2fc91d .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7102000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7102000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70ff000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70ff000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d2000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d2000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7105000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7105000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f3000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f3000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70db000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70db000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d5000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d5000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f0000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f0000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d8000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d8000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ed000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ed000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fc000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fc000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f9000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715f000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7153000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710e000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714d000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7147000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7165000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7114000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7114000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7159000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712c000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7123000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7123000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710b000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7120000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7120000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715c000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7156000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7162000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7150000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7111000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7168000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713b000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7141000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714a000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716b000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711d000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711d000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7138000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7135000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7129000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712f000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712f000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7132000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7132000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7117000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7108000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716e000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7144000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713e000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711a000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711a000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7126000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7126000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegCopyRectangles + 200 000000006e4c484d 4 bytes [A4, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegCopyRectangles + 210 000000006e4c4857 4 bytes [A0, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegCompressYuvData + 184 000000006e4c4950 4 bytes [A0, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegCompressYuvData + 270 000000006e4c49a6 4 bytes [A4, 80, CB, 66] .text ... * 3 .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegCompressYuvToBuffer + 225 000000006e4c528b 4 bytes [A0, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegCompressYuvToBuffer + 311 000000006e4c52e1 4 bytes [A4, 80, CB, 66] .text ... * 3 .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegInitData + 304 000000006e4c5a20 4 bytes [A0, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!JpegInitData + 341 000000006e4c5a45 4 bytes [A4, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXUnsetLibraryPath + 7 000000006e4c7d70 4 bytes [0C, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXUnsetLibraryPath + 18 000000006e4c7d7b 4 bytes [0C, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXHandleDisplayError + 7 000000006e4c7d8b 4 bytes [04, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXHandleDisplayError + 18 000000006e4c7d96 4 bytes [04, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXDisplayError + 29 000000006e4c7e0c 4 bytes [08, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXDisplayError + 39 000000006e4c7e16 4 bytes [08, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetDisplayErrorPredicate + 7 000000006e4c7e82 4 bytes [08, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetDisplayErrorPredicate + 18 000000006e4c7e8d 4 bytes [08, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetDisplayBlockHandler + 7 000000006e4c7e9d 4 bytes [14, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetDisplayBlockHandler + 18 000000006e4c7ea8 4 bytes [14, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetDisplayWriteHandler + 7 000000006e4c7eb8 4 bytes [18, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetDisplayWriteHandler + 18 000000006e4c7ec3 4 bytes [18, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetAuthorityHandler + 7 000000006e4c7ed3 4 bytes [20, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetAuthorityHandler + 18 000000006e4c7ede 4 bytes [20, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetLostSequenceHandler + 7 000000006e4c7eee 4 bytes [10, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXSetLostSequenceHandler + 18 000000006e4c7ef9 4 bytes [10, 40, CD, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXGetShmemParameters + 9 000000006e4c828f 4 bytes [28, C6, 42, 6A] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!NXGetShmemParameters + 124 000000006e4c8302 4 bytes [28, C6, 42, 6A] .text ... * 3 .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!Vp8RowCallback + 370 000000006e4d187b 4 bytes [E0, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!Vp8RowCallback + 389 000000006e4d188e 4 bytes [E4, 80, CB, 66] .text ... * 3 .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!H264InitData + 788 000000006e4d382d 4 bytes [A0, 80, CB, 66] .text C:\Program Files (x86)\NoMachine\bin\nxnode.bin[4176] C:\Program Files (x86)\NoMachine\bin\libnxcex.dll!H264InitData + 841 000000006e4d3862 4 bytes [A4, 80, CB, 66] .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 43] .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 47] .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 10002 .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\OO Software\Defrag\oodag.exe[4212] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000013050a0 6 bytes {JMP QWORD [RIP+0x1aaf90]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Windows\System32\svchost.exe[4328] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f5000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f5000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e0000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e0000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e6000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e6000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70dd000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70dd000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e9000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e9000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7101000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077a20009 1 byte [71] .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fe000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fe000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d1000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d1000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7104000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7104000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f2000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f2000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70da000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70da000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70ef000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70ef000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d7000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d7000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fb000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fb000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f8000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f8000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7197000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7194000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7191000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7152000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7146000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7164000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7113000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7113000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7158000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712b000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7122000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7122000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715b000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7155000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7161000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7110000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7167000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7140000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7149000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7137000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7134000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7128000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7131000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7131000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7116000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7107000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7170000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7143000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7119000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7119000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7125000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7125000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7173000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7179000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7176000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[4352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[4384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70de000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70de000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 00000000cc2fc91d .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70db000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70db000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7165000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7159000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7156000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7162000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7111000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7168000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7141000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7108000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7144000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f5000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f5000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70d5000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70d5000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70db000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70db000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70d2000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70d2000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70de000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70de000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7101000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077a20009 1 byte [71] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fe000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fe000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70d8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70d8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70c6000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70c6000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7104000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7104000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f2000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f2000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70cf000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70cf000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70c9000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70c9000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70e4000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70e4000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70cc000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70cc000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e1000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e1000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fb000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fb000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7197000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 718e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719d000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7152000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710d000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7146000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7164000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7113000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7113000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7158000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712b000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7122000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7122000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715b000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7155000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7161000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7110000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7167000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7140000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7149000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7137000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7134000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7128000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7131000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7131000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7116000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7107000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716d000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7170000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7143000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713d000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7119000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7119000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7125000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7125000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7182000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718b000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7173000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7179000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7185000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7188000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7176000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7194000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7191000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\svchost.exe[4640] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010e50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7101000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077a20009 1 byte [71] .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7104000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7104000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719a000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7197000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719d000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7194000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7191000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717f000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715e000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7152000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710d000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714c000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7146000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7164000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7113000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7113000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7158000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715b000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7155000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7161000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714f000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7110000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7167000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713a000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7140000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7149000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716a000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7137000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7134000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7131000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7131000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7116000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7107000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716d000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7170000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7143000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713d000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717c000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7173000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7179000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7176000a .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70af000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70af000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70b2000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70b2000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[4888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes CALL 0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[5068] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000013c50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f5000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f5000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e0000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e0000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e6000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e6000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70dd000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70dd000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e9000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e9000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7101000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077a20009 1 byte [71] .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fe000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fe000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d1000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d1000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7104000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7104000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f2000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f2000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70da000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70da000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70ef000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70ef000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d7000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d7000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fb000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fb000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f8000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f8000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7197000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7194000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7191000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7152000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7146000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7164000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7113000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7113000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7158000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712b000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7122000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7122000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715b000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7155000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7161000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714f000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7110000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7167000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7140000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7149000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716a000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7137000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7134000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7128000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712e000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7131000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7131000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7116000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7107000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7170000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7143000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713d000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7119000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7119000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7125000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7125000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717c000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7173000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7179000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7176000a .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\GenArts\rlm\rlm.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\conhost.exe[5092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f0000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f0000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70da000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70da000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e1000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e1000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70d7000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70d7000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e4000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e4000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 70fc000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 70fc000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70f9000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70f9000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70dd000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70dd000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70cb000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70cb000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 70ff000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 70ff000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70ed000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70ed000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70d4000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70d4000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70ce000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70ce000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70ea000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 00000000cc2fd76d .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d1000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d1000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e7000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e7000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70f6000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70f6000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f3000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f3000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719a000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7192000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7189000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719d000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7159000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 714d000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 7108000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 7147000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7141000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 715f000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 710e000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 710e000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7153000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 7126000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 711d000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 711d000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 7105000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711a000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711a000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 7156000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7150000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 715c000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714a000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 710b000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7162000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 7135000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 713b000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7144000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 7165000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 7117000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 7117000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7132000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 712f000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7123000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7129000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7129000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 712c000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 712c000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7111000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7102000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 7168000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 716b000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 713e000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 7138000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7114000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7114000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7120000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7120000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 717d000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 7177000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 7186000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 716e000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7174000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7180000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7183000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7171000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 718f000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 718c000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717a000a .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 0000000070de13c6 2 bytes [DE, 70] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 0000000070de13f6 2 bytes [DE, 70] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 0000000070de14ad 2 bytes [DE, 70] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 0000000070de14db 2 bytes [DE, 70] .text ... * 2 .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 0000000070de1577 2 bytes [DE, 70] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 0000000070de15d7 2 bytes [DE, 70] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 0000000070de1794 2 bytes [DE, 70] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 0000000070de18c1 2 bytes [DE, 70] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Windows\SysWOW64\vmnat.exe[3748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x385940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x37f420]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd4750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes JMP 1000100 .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 49000000 .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP aab .text C:\Program Files\Avid\Editor Transcode\TranscodeService\AvidEditorMSE.exe[5128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes CALL 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 4420020 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[5164] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000024a50a0 6 bytes JMP 0 .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[5440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70d4000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70d4000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70da000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70da000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70d1000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70d1000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7100000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7100000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fd000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fd000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70d7000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70d7000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70c5000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70c5000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7103000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7103000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70e6000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70e6000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70ce000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70ce000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70cb000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70cb000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e0000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e0000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f7000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7197000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7194000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7191000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715d000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7160000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7166000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 7139000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7106000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7170000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7173000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7179000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[5824] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7176000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Windows\SysWOW64\vmnetdhcp.exe[5988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 1681a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4316] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077871430 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\SearchIndexer.exe[6672] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012850a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP a35 .text C:\Windows\system32\svchost.exe[7112] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000016350a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 174550 .text C:\Windows\system32\wbem\wmiprvse.exe[7120] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP a35 .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\WUDFHost.exe[5676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077726ef0 6 bytes {JMP QWORD [RIP+0x8cb9140]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077728184 6 bytes {JMP QWORD [RIP+0x8d97eac]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SetParent 0000000077728530 6 bytes {JMP QWORD [RIP+0x8cd7b00]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077729bcc 6 bytes {JMP QWORD [RIP+0x8a36464]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!PostMessageA 000000007772a404 6 bytes {JMP QWORD [RIP+0x8a75c2c]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!EnableWindow 000000007772aaa0 6 bytes {JMP QWORD [RIP+0x8dd5590]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!MoveWindow 000000007772aad0 6 bytes {JMP QWORD [RIP+0x8cf5560]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007772c720 6 bytes {JMP QWORD [RIP+0x8c93910]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007772cd50 6 bytes {JMP QWORD [RIP+0x8d732e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007772d2b0 6 bytes {JMP QWORD [RIP+0x8ab2d80]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendMessageA 000000007772d338 6 bytes {JMP QWORD [RIP+0x8af2cf8]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007772dc40 6 bytes {JMP QWORD [RIP+0x8bd23f0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007772f510 6 bytes {JMP QWORD [RIP+0x8db0b20]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007772f874 6 bytes {JMP QWORD [RIP+0x89f07bc]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007772fac0 6 bytes {JMP QWORD [RIP+0x8b50570]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077730b74 6 bytes {JMP QWORD [RIP+0x8acf4bc]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777333b0 6 bytes {JMP QWORD [RIP+0x8a4cc80]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077734d4d 5 bytes {JMP QWORD [RIP+0x8a0b2e4]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!GetKeyState 0000000077735010 6 bytes {JMP QWORD [RIP+0x8c6b020]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077735438 6 bytes {JMP QWORD [RIP+0x8b8abf8]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendMessageW 0000000077736b50 6 bytes {JMP QWORD [RIP+0x8b094e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!PostMessageW 00000000777376e4 6 bytes {JMP QWORD [RIP+0x8a8894c]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007773dd90 6 bytes {JMP QWORD [RIP+0x8c022a0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!GetClipboardData 000000007773e874 6 bytes {JMP QWORD [RIP+0x8d417bc]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007773f780 6 bytes {JMP QWORD [RIP+0x8d008b0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777428e4 6 bytes {JMP QWORD [RIP+0x8b9d74c]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!mouse_event 0000000077743894 6 bytes {JMP QWORD [RIP+0x899c79c]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077748a10 6 bytes {JMP QWORD [RIP+0x8c37620]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077748be0 6 bytes {JMP QWORD [RIP+0x8b17450]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077748c20 6 bytes {JMP QWORD [RIP+0x89b7410]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendInput 0000000077748cd0 6 bytes {JMP QWORD [RIP+0x8c17360]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!BlockInput 000000007774ad60 6 bytes {JMP QWORD [RIP+0x8d152d0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777714e0 6 bytes {JMP QWORD [RIP+0x8daeb50]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!keybd_event 00000000777945a4 6 bytes {JMP QWORD [RIP+0x892ba8c]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007779cc08 6 bytes {JMP QWORD [RIP+0x8b83428]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007779df18 6 bytes {JMP QWORD [RIP+0x8b02118]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes JMP 6f .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe[3736] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 142ddf17 .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Windows\system32\taskhost.exe[7020] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000028950a0 6 bytes {JMP QWORD [RIP+0xbaf90]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[3688] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[5076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0x9cdd60]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0xb5db78]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0xb7a450]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0x987cac]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x96766c]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0x9a6cf4]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0xbb4648]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[6888] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0xb93780]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 4fd550 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes JMP 6f .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4336] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes JMP ff000000 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes JMP ffffffff .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes JMP ff010305 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes JMP fff0f0f0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes JMP ffd7def0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes JMP ffdadada .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes JMP ffd3daed .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes JMP ffffffff .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes JMP fff0f0f0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes JMP fff0f0f0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes JMP ff2b80d4 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes JMP ffffffff .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes JMP fff6f8fc .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes JMP ff99b4d1 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes JMP ffffffff .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes JMP fff0f0f0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes JMP fff6f7f9 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes JMP ffd3daed .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes JMP ff050a0f .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes JMP ff03080d .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes CALL e0000000 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP fd7a3b20 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[7968] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes JMP 6e0069 .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes JMP 300030 .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes JMP 6f .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Windows\Explorer.EXE[7952] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd4750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[8112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[8080] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000003a350a0 6 bytes {JMP QWORD [RIP+0x4baf90]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP aab .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[1712] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\KERNEL32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes JMP 699e .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes JMP d1f .text C:\Program Files\Greenshot\Greenshot.exe[1780] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000000001c6650a0 6 bytes JMP ff120000 .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 0 .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe[3468] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 43] .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 6 bytes {JMP QWORD [RIP+0x15cac70]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 10002 .text C:\Program Files\OO Software\Defrag\oodtray.exe[2236] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70da000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70da000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715a000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 7107000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 7148000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7142000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 710d000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 710d000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 7127000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 711c000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 711c000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 7104000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7119000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7119000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7151000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 715d000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 710a000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 7136000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 713c000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 7116000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 7116000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7133000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7130000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7124000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712a000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7110000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7101000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 713f000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 7139000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7113000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7113000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7121000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7121000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717b000a .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Pamela\Pamela.exe[7412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f5000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f5000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70b1000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70b1000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70db000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70db000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70ae000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70ae000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70de000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70de000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7101000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077a20009 1 byte [71] .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fe000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fe000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70d8000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70d8000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70a2000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70a2000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7104000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7104000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f2000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f2000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70ab000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70ab000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70a5000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70a5000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70a8000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70a8000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e1000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e1000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fb000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fb000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f8000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f8000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719a000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7197000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719d000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715e000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7152000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710d000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714c000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7146000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7164000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7113000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7113000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7158000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712b000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7122000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7122000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710a000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711f000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711f000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715b000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7155000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7161000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714f000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7110000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7167000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713a000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7140000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7149000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716a000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711c000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711c000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7137000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7134000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7128000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712e000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712e000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7131000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7131000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7116000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7107000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716d000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7170000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7143000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713d000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7119000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7119000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7125000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7125000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717c000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7173000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7179000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7176000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7194000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7191000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717f000a .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\GRETECH\GOMTray\GomTray.exe[1448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[7788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\T-Clock 2010\x64\Clock.exe[5780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\T-Clock 2010\x64\Clock.exe[5780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Winamp\winampa.exe[7376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\KatMouse\KatMouse.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 72006f .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 0 .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\Locate\Locate32.exe[1152] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd4750a0 6 bytes {JMP QWORD [RIP+0xcaf90]} .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe[820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70db000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70db000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70de000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70de000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 00000000cc2fd76d .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7159000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 714d000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 7108000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 7147000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7141000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 715f000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 710e000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 710e000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7153000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 7126000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 711d000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 711d000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 7105000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711a000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711a000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 7156000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7150000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 715c000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714a000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 710b000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7162000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 7135000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 713b000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7144000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 7165000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 7117000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 7117000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7132000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 712f000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7123000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7129000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7129000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 712c000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 712c000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7111000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7102000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 7168000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 716b000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 713e000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 7138000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7114000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7114000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7120000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7120000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 716e000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717b000a .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Stickies\stickies.exe[2400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes {JMP QWORD [RIP+0x87fc520]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes [B5, 6F, 15] .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes [FF, 25, 70, AC, 19] .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x385940]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x6cf420]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\UltraMon\UltraMon.exe[5748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[8304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7100000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7100000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 715a000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 7109000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 7148000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7142000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 710f000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 710f000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 7127000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 711e000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 711e000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 7106000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 711b000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 711b000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7151000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 715d000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 710c000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 7136000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 713c000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 7118000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 7118000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7133000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7130000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 7124000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 712a000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7112000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7103000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 713f000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 7139000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 7115000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 7115000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7121000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7121000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe[8432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes [DE, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes [EA, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes [02, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes [D2, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes [F3, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes [DB, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes [F0, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes [D8, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes [ED, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes [F9, 70] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007580103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075801072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes [14, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes [23, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes [20, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes [1D, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes [2F, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes [32, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes [1A, 71] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe[8452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes [26, 71] .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes {JMP QWORD [RIP+0xedd60]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes {JMP QWORD [RIP+0x10db78]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes {JMP QWORD [RIP+0x143780]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda6a6f0 6 bytes {JMP QWORD [RIP+0x385940]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[8536] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda90c10 6 bytes {JMP QWORD [RIP+0x37f420]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[7532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text C:\Program Files (x86)\Java\jre7\bin\javaw.exe[8564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077843b10 6 bytes JMP 56535540 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778713a0 6 bytes {JMP QWORD [RIP+0x87aec90]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778715e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778716c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077871800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778719f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 6 bytes {JMP QWORD [RIP+0x8cce530]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077871bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077871d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077872130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776098e0 6 bytes {JMP QWORD [RIP+0x8a96750]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077620650 6 bytes {JMP QWORD [RIP+0x8a3f9e0]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007769acf0 6 bytes {JMP QWORD [RIP+0x89e5340]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd9a9055 3 bytes CALL 0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9b53c0 5 bytes JMP 7ed1 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeff22d0 6 bytes JMP 0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeff24b8 6 bytes JMP 0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeff5be0 6 bytes JMP 317e4c .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeff8384 6 bytes JMP 0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeff89c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeff933c 6 bytes JMP 0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeffb9e8 6 bytes JMP 1 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeffc8b0 6 bytes JMP aadd80 C:\Program Files\totalcmd\TOTALCMD64.EXE .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6844] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd4750a0 6 bytes JMP 0 .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a1f9e0 3 bytes JMP 71af000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a1f9e4 2 bytes JMP 71af000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a1fcb0 3 bytes JMP 70f7000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a1fcb4 2 bytes JMP 70f7000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a1fd64 3 bytes JMP 70e2000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a1fd68 2 bytes JMP 70e2000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a1fdc8 3 bytes JMP 70e8000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a1fdcc 2 bytes JMP 70e8000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1fec0 3 bytes JMP 70df000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a1fec4 2 bytes JMP 70df000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a1ffa4 3 bytes JMP 70eb000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a1ffa8 2 bytes JMP 70eb000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a20004 3 bytes JMP 7103000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a20008 2 bytes JMP 7103000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a20084 3 bytes JMP 7100000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a20088 2 bytes JMP 7100000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a200b4 3 bytes JMP 70e5000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a200b8 2 bytes JMP 70e5000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a203b8 3 bytes JMP 70d3000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a203bc 2 bytes JMP 70d3000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a20550 3 bytes JMP 7106000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a20554 2 bytes JMP 7106000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a20694 3 bytes JMP 70f4000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a20698 2 bytes JMP 70f4000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2088c 3 bytes JMP 70dc000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a20890 2 bytes JMP 70dc000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a208a4 3 bytes JMP 70d6000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a208a8 2 bytes JMP 70d6000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a20df4 3 bytes JMP 70f1000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a20df8 2 bytes JMP 70f1000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a20ed8 3 bytes JMP 70d9000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a20edc 2 bytes JMP 70d9000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a21be4 3 bytes JMP 70ee000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a21be8 2 bytes JMP 70ee000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a21cb4 3 bytes JMP 70fd000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a21cb8 2 bytes JMP 70fd000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a21d8c 3 bytes JMP 70fa000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a21d90 2 bytes JMP 70fa000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a41287 6 bytes JMP 71a8000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007580103d 6 bytes JMP 719c000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075801072 6 bytes JMP 7199000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007582c9b5 6 bytes JMP 7190000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bcf784 6 bytes JMP 719f000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bd2c9e 4 bytes CALL 71ac0000 .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077308332 6 bytes JMP 7160000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077308bff 6 bytes JMP 7154000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773090d3 6 bytes JMP 710f000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077309679 6 bytes JMP 714e000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773097d2 6 bytes JMP 7148000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007730ee09 6 bytes JMP 7166000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007730efc9 3 bytes JMP 7115000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007730efcd 2 bytes JMP 7115000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773112a5 6 bytes JMP 715a000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007731291f 6 bytes JMP 712d000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetParent 0000000077312d64 3 bytes JMP 7124000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077312d68 2 bytes JMP 7124000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077312da4 6 bytes JMP 710c000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077313698 3 bytes JMP 7121000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007731369c 2 bytes JMP 7121000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077313baa 6 bytes JMP 715d000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077313c61 6 bytes JMP 7157000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077316110 6 bytes JMP 7163000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007731612e 6 bytes JMP 7151000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077316c30 6 bytes JMP 7112000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077317603 6 bytes JMP 7169000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077317668 6 bytes JMP 713c000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773176e0 6 bytes JMP 7142000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007731781f 6 bytes JMP 714b000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007731835c 6 bytes JMP 716c000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007731c4b6 3 bytes JMP 711e000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007731c4ba 2 bytes JMP 711e000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007732c112 6 bytes JMP 7139000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007732d0f5 6 bytes JMP 7136000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007732eb96 6 bytes JMP 712a000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007732ec68 3 bytes JMP 7130000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007732ec6c 2 bytes JMP 7130000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendInput 000000007732ff4a 3 bytes JMP 7133000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007732ff4e 2 bytes JMP 7133000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077349f1d 6 bytes JMP 7118000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077351497 6 bytes JMP 7109000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!mouse_event 000000007736027b 6 bytes JMP 716f000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!keybd_event 00000000773602bf 6 bytes JMP 7172000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077366cfc 6 bytes JMP 7145000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077366d5d 6 bytes JMP 713f000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077367dd7 3 bytes JMP 711b000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077367ddb 2 bytes JMP 711b000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773688eb 3 bytes JMP 7127000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773688ef 2 bytes JMP 7127000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076f658b3 6 bytes JMP 7184000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076f65ea6 6 bytes JMP 717e000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076f67bcc 6 bytes JMP 718d000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076f6b895 6 bytes JMP 7175000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076f6c332 6 bytes JMP 717b000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076f6cbfb 6 bytes JMP 7187000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076f6e743 6 bytes JMP 718a000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f9480f 6 bytes JMP 7178000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a92642 6 bytes JMP 7196000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076a95429 6 bytes JMP 7193000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007545124e 6 bytes JMP 7181000a .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c21465 2 bytes [C2, 75] .text D:\_DOWNLOAD_\pm770lnu.exe[8028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c214bb 2 bytes [C2, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef67d741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef67d5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef67d5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef67d5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef67d7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef67d6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef67d6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef67d7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef67d7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef67d78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef67d4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef67d5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef67d7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2728:8604] 000007fefbbd2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2728:8824] 000007fef74a5124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272c9481e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272c9481e@2c4401c8d486 0x53 0xB7 0xF1 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272c9481e@00186b19de7e 0x26 0x95 0x48 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272c9481e@001891d4600b 0x12 0xB0 0x1B 0x44 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0013105d6563 Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272c9481e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272c9481e@2c4401c8d486 0x53 0xB7 0xF1 0xE3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272c9481e@00186b19de7e 0x26 0x95 0x48 0x84 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272c9481e@001891d4600b 0x12 0xB0 0x1B 0x44 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0013105d6563 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----