GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-25 18:31:55 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 WDC_WD6400AAKS-65A7B2 rev.01.03B01 596,17GB Running: u06b1vir.exe; Driver: C:\Users\Bartek\AppData\Local\Temp\kwrdipob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b9ff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ba0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b9ff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ba0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\services.exe[552] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\services.exe[552] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe1b5720 6 bytes {JMP QWORD [RIP+0x10a910]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd9439f0 6 bytes {JMP QWORD [RIP+0x6c640]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077a57640 6 bytes {JMP QWORD [RIP+0x89489f0]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077a59554 6 bytes {JMP QWORD [RIP+0x8a26adc]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SetParent 0000000077a59870 6 bytes {JMP QWORD [RIP+0x89667c0]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077a5c044 6 bytes {JMP QWORD [RIP+0x86c3fec]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!PostMessageA 0000000077a5ca54 6 bytes {JMP QWORD [RIP+0x87035dc]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!EnableWindow 0000000077a5d0f0 6 bytes {JMP QWORD [RIP+0x8a62f40]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!MoveWindow 0000000077a5d120 6 bytes {JMP QWORD [RIP+0x8982f10]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000077a5f0c4 6 bytes {JMP QWORD [RIP+0x8920f6c]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000077a5f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000077a5fc50 6 bytes {JMP QWORD [RIP+0x87403e0]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendMessageA 0000000077a5fcd8 6 bytes {JMP QWORD [RIP+0x8780358]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000077a603f0 6 bytes {JMP QWORD [RIP+0x885fc40]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077a61f30 6 bytes {JMP QWORD [RIP+0x8a3e100]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077a62294 6 bytes {JMP QWORD [RIP+0x867dd9c]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077a63464 6 bytes {JMP QWORD [RIP+0x875cbcc]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077a65c34 6 bytes {JMP QWORD [RIP+0x86da3fc]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077a671e9 5 bytes {JMP QWORD [RIP+0x8698e48]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!GetKeyState 0000000077a678c0 6 bytes {JMP QWORD [RIP+0x88f8770]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077a68e28 6 bytes {JMP QWORD [RIP+0x8817208]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077a68f9c 6 bytes {JMP QWORD [RIP+0x87d7094]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!PostMessageW 0000000077a692d4 6 bytes {JMP QWORD [RIP+0x8716d5c]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendMessageW 0000000077a6a800 6 bytes {JMP QWORD [RIP+0x8795830]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000077a70bf8 6 bytes {JMP QWORD [RIP+0x888f438]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!GetClipboardData 0000000077a71584 6 bytes {JMP QWORD [RIP+0x89ceaac]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000077a72360 6 bytes {JMP QWORD [RIP+0x898dcd0]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000077a75508 6 bytes {JMP QWORD [RIP+0x882ab28]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!mouse_event 0000000077a762c4 6 bytes {JMP QWORD [RIP+0x8629d6c]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077a791a0 6 bytes {JMP QWORD [RIP+0x88c6e90]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077a792e0 6 bytes {JMP QWORD [RIP+0x87a6d50]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077a79320 6 bytes {JMP QWORD [RIP+0x8646d10]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendInput 0000000077a793d0 6 bytes {JMP QWORD [RIP+0x88a6c60]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!BlockInput 0000000077a7b430 6 bytes {JMP QWORD [RIP+0x89a4c00]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077aa16e0 6 bytes {JMP QWORD [RIP+0x8a3e950]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!keybd_event 0000000077ac4474 6 bytes {JMP QWORD [RIP+0x85bbbbc]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000077accc58 6 bytes {JMP QWORD [RIP+0x88133d8]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000077acdec8 6 bytes {JMP QWORD [RIP+0x8792168]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 0 .text C:\Windows\system32\services.exe[552] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 33006d .text C:\Windows\system32\services.exe[552] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\services.exe[552] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0x10da98]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xcdcc0]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xeda98]} .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d339f0 6 bytes {JMP QWORD [RIP+0x7c640]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xddcc0]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xfda98]} .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012539f0 6 bytes {JMP QWORD [RIP+0x7c640]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe1b5720 6 bytes {JMP QWORD [RIP+0x10a910]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 48416d20 .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[748] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000010b39f0 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000758c11a0 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe1b5720 6 bytes {JMP QWORD [RIP+0x10a910]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 4d0044 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011339f0 6 bytes {JMP QWORD [RIP+0xfc640]} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba0030 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 4d0044 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010a39f0 6 bytes {JMP QWORD [RIP+0x32c640]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 0 .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\atiesrxx.exe[124] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 420003 .text C:\Windows\System32\svchost.exe[440] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\System32\svchost.exe[440] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000011839f0 6 bytes {JMP QWORD [RIP+0x18c640]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes JMP 310030 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes JMP ec80 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes JMP decbe044 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes JMP 5 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes JMP 8b9fe38 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes JMP 8b43a39 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes JMP 8bb4028 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes JMP 89cdce8 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes JMP e6f1e841 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes JMP 8a3fc88 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes JMP 89f5939 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes JMP 8e93a81 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes JMP 8c50a88 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes JMP 88af8d9 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes JMP f88d80 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes JMP 89f8ab9 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes JMP 87880 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes JMP 88b1f01 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes JMP 89f5571 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes JMP 89f4ac9 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes JMP b96080 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes JMP 8aff3a8 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes JMP fbe880 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes JMP 28f880 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes JMP 8a934f0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes JMP e4e6e4e6 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes JMP e585e83f .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\System32\SspiCli.dll!EncryptMessage 00000000010e39f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes JMP 720075 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe1b5720 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 9000003a .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 23a0b80 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[764] c:\windows\system32\SSPICLI.DLL!EncryptMessage 00000000010b39f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 4d0044 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011139f0 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 0 .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0x16de04]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x18dc18]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0x127dd8]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x107cb8]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0x1469cc]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\system32\atieclxx.exe[1256] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000025939f0 6 bytes {JMP QWORD [RIP+0x5bc640]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe1b5720 6 bytes {JMP QWORD [RIP+0x10a910]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 1000c027 .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1280] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012239f0 6 bytes {JMP QWORD [RIP+0x39c640]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 9b30000 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes JMP 11f520 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 4d0044 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000024b39f0 6 bytes {JMP QWORD [RIP+0x18c640]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000758c11a0 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1548] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes JMP 9c6 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 47e .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010b39f0 6 bytes {JMP QWORD [RIP+0x18c640]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 0 .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 9500005c .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\system32\taskhost.exe[1660] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000026739f0 6 bytes {JMP QWORD [RIP+0x4fc640]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000758c11a0 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 41a646df .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 7da47edf .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1776] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP 0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes JMP 710f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes JMP 710f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes JMP 713c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes JMP 713c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes JMP 713f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes JMP 713f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes JMP 7124000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000758c11a0 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000073d717fa 2 bytes CALL 75fc1199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073d71860 2 bytes CALL 75fc1199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073d71942 2 bytes JMP 7590c29f C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000073d7194d 2 bytes JMP 7590418d C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\fltlib.dll!FilterConnectCommunicationPort 00000000755612c6 6 bytes JMP 71a5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\fltlib.dll!FilterSendMessage 0000000075562384 6 bytes JMP 71a2000a .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes JMP 6c64746e .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL ffffffff .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 7fe .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd9439f0 6 bytes {JMP QWORD [RIP+0x6c640]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0x10da98]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 6d0061 .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes JMP 9000005e .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP ffffffff .text C:\Windows\system32\taskeng.exe[1056] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000023e39f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 4d0044 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010a39f0 6 bytes {JMP QWORD [RIP+0x17c640]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 11] .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 4b0044 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes JMP 890f .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd9439f0 6 bytes {JMP QWORD [RIP+0x6c640]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 19ab .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP bc .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\SearchIndexer.exe[2408] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70ca000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70ca000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes JMP 70eb000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes JMP 70eb000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70d6000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70d6000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70dc000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70dc000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes JMP 70d3000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes JMP 70d3000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7103000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7103000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70df000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70df000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes JMP 70f7000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes JMP 70f7000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70f4000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70f4000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70d9000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70d9000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70c4000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70c4000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes JMP 7109000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes JMP 7109000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 710c000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 710c000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70e8000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70e8000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes JMP 7100000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes JMP 7100000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 7106000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 7106000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes JMP 70fa000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes JMP 70fa000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 70fd000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 70fd000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes JMP 70d0000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes JMP 70d0000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70c7000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70c7000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes JMP 70e5000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes JMP 70e5000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes JMP 70cd000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes JMP 70cd000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes JMP 70e2000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes JMP 70e2000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes JMP 70f1000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes JMP 70f1000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes JMP 70ee000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes JMP 70ee000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes JMP 719c000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes JMP 719c000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes JMP 719f000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000758c11a0 6 bytes JMP 7187000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 718a000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes JMP 7184000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes JMP 7193000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes JMP 717b000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes JMP 7181000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes JMP 717e000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 7166000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes JMP 715a000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes JMP 7154000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes JMP 714e000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes JMP 711b000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes JMP 711b000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes JMP 716c000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7160000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes JMP 7115000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes JMP 7115000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes JMP 7133000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes JMP 7127000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes JMP 7127000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes JMP 7163000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes JMP 715d000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes JMP 712a000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes JMP 712a000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes JMP 7112000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes JMP 7130000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes JMP 7136000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes JMP 7136000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes JMP 7172000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes JMP 7124000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes JMP 7124000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes JMP 713f000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 716f000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes JMP 7148000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes JMP 713c000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes JMP 7157000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes JMP 7169000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes JMP 7151000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes JMP 7118000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes JMP 7142000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes JMP 7139000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes JMP 7139000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes JMP 711e000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes JMP 710f000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes JMP 7175000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes JMP 7178000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes JMP 714b000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes JMP 7145000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes JMP 7121000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes JMP 7121000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes JMP 712d000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes JMP 712d000a .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 11] .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes JMP ffffffff .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x1bdc18]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x1d8c80]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x2144ec]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 0 .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\MSIMG32.dll!AlphaBlend 000007fefcb31180 6 bytes {JMP QWORD [RIP+0x4eeb0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\MSIMG32.dll!TransparentBlt 000007fefcb31350 6 bytes {JMP QWORD [RIP+0x2ece0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Program Files\Gadwin\Gadwin PrintScreen\PrintScreen64.exe[2808] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024e39f0 6 bytes {JMP QWORD [RIP+0x17c640]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000758c11a0 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes JMP 0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 128c80 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3012] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 11] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3032] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes JMP 18 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes JMP e06d7363 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 11] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0x19de04]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x1bdc18]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes JMP 900000e8 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[1612] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000053439f0 6 bytes {JMP QWORD [RIP+0x4c640]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes [F0, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes [D8, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes [FC, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes [0E, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes [ED, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes [05, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes [FF, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes [D5, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes [EA, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes [D2, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes [E7, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes [F6, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes [F3, 70] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes [9B, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!DispatchMessageW 0000000077497deb 5 bytes JMP 000000016a0da040 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!DispatchMessageA 0000000077498103 5 bytes JMP 000000016a0da010 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000077498b9a 5 bytes JMP 000000016a0daa20 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007749a5e6 5 bytes JMP 000000016a0da8e0 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetWindowPos 000000007749cdb4 5 bytes JMP 000000016a0da1a0 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes [20, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000774a0112 5 bytes JMP 000000016a0da360 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000774a0dbe 5 bytes JMP 000000016a0da070 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!EndPaint 00000000774a0e9a 5 bytes JMP 000000016a0da440 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!BeginPaint 00000000774a0eba 5 bytes JMP 000000016a0da3e0 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes [1A, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 00000000774a1d34 5 bytes JMP 000000016a0da2a0 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!DestroyWindow 00000000774a1e6e 5 bytes JMP 000000016a0da170 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 00000000774a260a 5 bytes JMP 000000016a0da860 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!WindowFromPoint 00000000774a2ddb 5 bytes JMP 000000016a0d9940 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetCapture 00000000774a2ed1 5 bytes JMP 000000016a0da2e0 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes [2C, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes [2F, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetCursor 00000000774a4076 5 bytes JMP 000000016a0d9920 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes [3B, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!BringWindowToTop 00000000774a7ba7 5 bytes JMP 000000016a0da3c0 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes [29, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!AnimateWindow 00000000774b2b8d 5 bytes JMP 000000016a0da210 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindow 00000000774b30a6 5 bytes JMP 000000016a0da790 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000774bed58 5 bytes JMP 000000016a0da300 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes [3E, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes [26, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes [32, 71] .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 7190000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr.exe[1156] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes [F0, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes [D8, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes [FC, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes [0E, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70ee000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70ee000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes [05, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes [FF, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes [D5, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes [EA, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes [D2, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes [E7, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes [F6, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes [F3, 70] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes [9B, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes [20, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes [1A, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes [2C, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes [2F, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes [3B, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes [29, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 7175000a .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes [3E, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes [26, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes [32, 71] .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes CALL 9b30000 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!BitBlt 000007fefea62418 6 bytes JMP 0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes JMP 4d0044 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[5040] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f980 3 bytes JMP 71af000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4f984 2 bytes JMP 71af000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fac8 3 bytes JMP 70d0000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4facc 2 bytes JMP 70d0000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fc50 3 bytes JMP 70f1000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fc54 2 bytes JMP 70f1000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd04 3 bytes JMP 70dc000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fd08 2 bytes JMP 70dc000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fd68 3 bytes JMP 70e2000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fd6c 2 bytes JMP 70e2000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4fe60 3 bytes JMP 70d9000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4fe64 2 bytes JMP 70d9000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ff14 3 bytes JMP 7109000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ff18 2 bytes JMP 7109000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ff44 3 bytes JMP 70e5000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4ff48 2 bytes JMP 70e5000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d4ffa4 3 bytes JMP 70fd000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d4ffa8 2 bytes JMP 70fd000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d50024 3 bytes JMP 70fa000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d50028 2 bytes JMP 70fa000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50054 3 bytes JMP 70df000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50058 2 bytes JMP 70df000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50358 3 bytes JMP 70ca000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d5035c 2 bytes JMP 70ca000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d50370 3 bytes JMP 710f000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50374 2 bytes JMP 710f000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d504f0 3 bytes JMP 7112000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d504f4 2 bytes JMP 7112000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d50634 3 bytes JMP 70ee000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d50638 2 bytes JMP 70ee000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50694 3 bytes JMP 7106000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50698 2 bytes JMP 7106000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d5073c 3 bytes JMP 710c000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d50740 2 bytes JMP 710c000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50784 3 bytes JMP 7100000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50788 2 bytes JMP 7100000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d50814 3 bytes JMP 7103000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d50818 2 bytes JMP 7103000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d5082c 3 bytes JMP 70d6000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d50830 2 bytes JMP 70d6000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d50844 3 bytes JMP 70cd000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d50848 2 bytes JMP 70cd000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50d94 3 bytes JMP 70eb000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50d98 2 bytes JMP 70eb000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50e78 3 bytes JMP 70d3000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50e7c 2 bytes JMP 70d3000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51b84 3 bytes JMP 70e8000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51b88 2 bytes JMP 70e8000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51c54 3 bytes JMP 70f7000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51c58 2 bytes JMP 70f7000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51d2c 3 bytes JMP 70f4000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51d30 2 bytes JMP 70f4000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71067 6 bytes JMP 71a8000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075fd117b 3 bytes JMP 719c000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075fd117f 2 bytes JMP 719c000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007758eae7 6 bytes JMP 719f000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000077591d26 4 bytes CALL 71ac0000 .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077498b7c 6 bytes JMP 716c000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077498e6e 6 bytes JMP 7160000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007749cd35 6 bytes JMP 715a000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007749d0da 6 bytes JMP 7154000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007749d277 3 bytes JMP 7121000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007749d27b 2 bytes JMP 7121000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749f0e6 6 bytes JMP 7172000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774a0f14 6 bytes JMP 7166000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774a0f9f 3 bytes JMP 711b000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000774a0fa3 2 bytes JMP 711b000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000774a2902 6 bytes JMP 7139000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000774a35fb 3 bytes JMP 712d000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000774a35ff 2 bytes JMP 712d000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000774a3cbf 6 bytes JMP 7169000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000774a3d76 6 bytes JMP 7163000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetParent 00000000774a3f14 3 bytes JMP 7130000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000774a3f18 2 bytes JMP 7130000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000774a3f54 6 bytes JMP 7118000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000774a4858 6 bytes JMP 7136000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000774a492a 3 bytes JMP 713c000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000774a492e 2 bytes JMP 713c000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a8364 6 bytes JMP 7178000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000774ab7e6 3 bytes JMP 712a000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000774ab7ea 2 bytes JMP 712a000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000774ac991 6 bytes JMP 7145000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774b06b3 6 bytes JMP 7175000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774b090f 6 bytes JMP 714e000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000774b2959 6 bytes JMP 7142000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000774beef4 6 bytes JMP 715d000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000774bef4a 6 bytes JMP 716f000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000774bf422 6 bytes JMP 7157000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000774bf9b0 6 bytes JMP 711e000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000774c0f60 6 bytes JMP 7148000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendInput 00000000774c195e 3 bytes JMP 713f000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000774c1962 2 bytes JMP 713f000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000774d9f3b 6 bytes JMP 7124000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774e15ef 6 bytes JMP 7115000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774f040b 6 bytes JMP 717b000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774f044f 6 bytes JMP 717e000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774f6e8c 6 bytes JMP 7151000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774f6eed 6 bytes JMP 714b000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774f7f67 3 bytes JMP 7127000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774f7f6b 2 bytes JMP 7127000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774f8a7b 3 bytes JMP 7133000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774f8a7f 2 bytes JMP 7133000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076565876 6 bytes JMP 7190000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076565ea6 6 bytes JMP 718a000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765695f4 6 bytes JMP 7199000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007656b8d0 6 bytes JMP 7193000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007656ba55 6 bytes JMP 7181000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007656c74f 6 bytes JMP 7187000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007656e45d 6 bytes JMP 7196000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076594636 6 bytes JMP 7184000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000758c11a0 6 bytes JMP 718d000a .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a71401 2 bytes JMP 75fdeb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a71419 2 bytes JMP 75feb513 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a71431 2 bytes JMP 76068609 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a7144a 2 bytes CALL 75fc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a714dd 2 bytes JMP 76067efe C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a714f5 2 bytes JMP 760680d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a7150d 2 bytes JMP 76067df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a71525 2 bytes JMP 760681c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a7153d 2 bytes JMP 75fdf088 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a71555 2 bytes JMP 75feb885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a7156d 2 bytes JMP 760686c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a71585 2 bytes JMP 76068222 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a7159d 2 bytes JMP 76067db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a715b5 2 bytes JMP 75fdf121 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a715cd 2 bytes JMP 75feb29f C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a716b2 2 bytes JMP 76068584 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bartek\Downloads\u06b1vir.exe[5060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a716bd 2 bytes JMP 76067d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b72fd0 6 bytes {JMP QWORD [RIP+0x84cd060]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9ffa0 6 bytes {JMP QWORD [RIP+0x8480090]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ba0070 6 bytes {JMP QWORD [RIP+0x8c1ffc0]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba0170 6 bytes {JMP QWORD [RIP+0x8abfec0]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ba01e0 6 bytes {JMP QWORD [RIP+0x8b9fe50]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ba0220 6 bytes {JMP QWORD [RIP+0x8b5fe10]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ba02c0 6 bytes {JMP QWORD [RIP+0x8bbfd70]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ba0330 6 bytes {JMP QWORD [RIP+0x89bfd00]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ba0350 6 bytes {JMP QWORD [RIP+0x8b3fce0]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ba0390 6 bytes {JMP QWORD [RIP+0x8a3fca0]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ba03e0 6 bytes {JMP QWORD [RIP+0x8a5fc50]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ba0400 6 bytes {JMP QWORD [RIP+0x8b7fc30]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ba05f0 6 bytes {JMP QWORD [RIP+0x8c5fa40]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ba0600 6 bytes {JMP QWORD [RIP+0x897fa30]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ba0700 6 bytes {JMP QWORD [RIP+0x895f930]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ba07d0 6 bytes {JMP QWORD [RIP+0x8adf860]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ba0810 6 bytes {JMP QWORD [RIP+0x89df820]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ba0880 6 bytes {JMP QWORD [RIP+0x899f7b0]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ba08b0 6 bytes {JMP QWORD [RIP+0x8a1f780]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ba0910 6 bytes {JMP QWORD [RIP+0x89ff720]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ba0920 6 bytes {JMP QWORD [RIP+0x8bdf710]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ba0930 6 bytes {JMP QWORD [RIP+0x8c3f700]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ba0ca0 6 bytes {JMP QWORD [RIP+0x8aff390]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ba0d30 6 bytes {JMP QWORD [RIP+0x8bff300]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ba15a0 6 bytes {JMP QWORD [RIP+0x8b1ea90]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ba1620 6 bytes {JMP QWORD [RIP+0x8a7ea10]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ba16a0 6 bytes {JMP QWORD [RIP+0x8a9e990]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 000000007794a600 6 bytes {JMP QWORD [RIP+0x8715a30]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefde1a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefde24920 5 bytes [FF, 25, 10, B7, 0C] .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefea6222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!BitBlt 000007fefea62418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefea673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefea68258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefea68378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!GetPixel 000007fefea69664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefea6bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefea6dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd872370 6 bytes {JMP QWORD [RIP+0xbdcc0]} .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd872598 6 bytes {JMP QWORD [RIP+0xdda98]} ---- User IAT/EAT - GMER 2.1 ---- IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef92c741c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef92c5f10] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef92c5674] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef92c5e2c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef92c7f48] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef92c6a38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef92c6ee8] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef92c7b58] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef92c7ea0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef92c78b0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef92c4fb4] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef92c5d38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef92c7584] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Process C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe (*** suspicious ***) @ C:\Users\Bartek\AppData\Roaming\uTorrent\uTorrent.exe [2760] (µTorrent/BitTorrent Inc.)(2014-05-11 16:30:05) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----