GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-04 00:50:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: qnqnkjlr.exe; Driver: E:\UPDTWI~1\kwddrkog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88006b46d8c 12 bytes {MOV RAX, 0xfffffa80082f82a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774fdc60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774fde60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774fdc60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774fde60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\services.exe[588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\services.exe[588] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff503e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000773b6ef0 6 bytes {JMP QWORD [RIP+0x9089140]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000773b8184 6 bytes {JMP QWORD [RIP+0x9167eac]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SetParent 00000000773b8530 6 bytes {JMP QWORD [RIP+0x90a7b00]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000773b9bcc 6 bytes {JMP QWORD [RIP+0x8e06464]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!PostMessageA 00000000773ba404 6 bytes {JMP QWORD [RIP+0x8e45c2c]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!EnableWindow 00000000773baaa0 6 bytes {JMP QWORD [RIP+0x91a5590]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!MoveWindow 00000000773baad0 6 bytes {JMP QWORD [RIP+0x90c5560]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000773bc720 6 bytes {JMP QWORD [RIP+0x9063910]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000773bcd50 6 bytes {JMP QWORD [RIP+0x91432e0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000773bd2b0 6 bytes {JMP QWORD [RIP+0x8e82d80]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendMessageA 00000000773bd338 6 bytes {JMP QWORD [RIP+0x8ec2cf8]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000773bdc40 6 bytes {JMP QWORD [RIP+0x8fa23f0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000773bf510 6 bytes {JMP QWORD [RIP+0x9180b20]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000773bf874 6 bytes {JMP QWORD [RIP+0x8dc07bc]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000773bfac0 6 bytes {JMP QWORD [RIP+0x8f20570]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773c0b74 6 bytes {JMP QWORD [RIP+0x8e9f4bc]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000773c33b0 6 bytes {JMP QWORD [RIP+0x8e1cc80]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000773c4d4d 5 bytes {JMP QWORD [RIP+0x8ddb2e4]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!GetKeyState 00000000773c5010 6 bytes {JMP QWORD [RIP+0x903b020]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773c5438 6 bytes {JMP QWORD [RIP+0x8f5abf8]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendMessageW 00000000773c6b50 6 bytes {JMP QWORD [RIP+0x8ed94e0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!PostMessageW 00000000773c76e4 6 bytes {JMP QWORD [RIP+0x8e5894c]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773cdd90 6 bytes {JMP QWORD [RIP+0x8fd22a0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ce874 6 bytes {JMP QWORD [RIP+0x91117bc]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773cf780 6 bytes {JMP QWORD [RIP+0x90d08b0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773d28e4 6 bytes {JMP QWORD [RIP+0x8f6d74c]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!mouse_event 00000000773d3894 6 bytes {JMP QWORD [RIP+0x8d6c79c]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773d8a10 6 bytes {JMP QWORD [RIP+0x9007620]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773d8be0 6 bytes {JMP QWORD [RIP+0x8ee7450]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773d8c20 6 bytes {JMP QWORD [RIP+0x8d87410]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendInput 00000000773d8cd0 6 bytes {JMP QWORD [RIP+0x8fe7360]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!BlockInput 00000000773dad60 6 bytes {JMP QWORD [RIP+0x90e52d0]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774014e0 6 bytes {JMP QWORD [RIP+0x917eb50]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!keybd_event 00000000774245a4 6 bytes {JMP QWORD [RIP+0x8cfba8c]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007742cc08 6 bytes {JMP QWORD [RIP+0x8f53428]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007742df18 6 bytes {JMP QWORD [RIP+0x8ed2118]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 0 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes JMP 0 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\services.exe[588] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 200072 .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff503e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 3bc011f .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff503e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP fe020000 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes JMP 72006f .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774fdd30 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 8 bytes JMP 000000016fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 6f2d .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 4e .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes JMP 36000780 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes JMP 42000540 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes JMP b600002e .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes JMP bac5244a .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 3301c0 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes CALL 0 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000773b6ef0 6 bytes {JMP QWORD [RIP+0x9089140]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000773b8184 6 bytes {JMP QWORD [RIP+0x9167eac]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SetParent 00000000773b8530 6 bytes JMP 7b00b6aa .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000773b9bcc 6 bytes {JMP QWORD [RIP+0x8e06464]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!PostMessageA 00000000773ba404 6 bytes {JMP QWORD [RIP+0x8e45c2c]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!EnableWindow 00000000773baaa0 6 bytes {JMP QWORD [RIP+0x91a5590]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!MoveWindow 00000000773baad0 6 bytes JMP 8400f152 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000773bc720 6 bytes {JMP QWORD [RIP+0x9063910]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000773bcd50 6 bytes {JMP QWORD [RIP+0x91432e0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000773bd2b0 6 bytes JMP 615ae8ad .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendMessageA 00000000773bd338 6 bytes {JMP QWORD [RIP+0x8ec2cf8]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000773bdc40 6 bytes JMP 4300118e .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000773bf510 6 bytes {JMP QWORD [RIP+0x9180b20]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000773bf874 6 bytes JMP 70000010 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000773bfac0 6 bytes {JMP QWORD [RIP+0x8f20570]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773c0b74 6 bytes {JMP QWORD [RIP+0x8e9f4bc]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000773c33b0 6 bytes {JMP QWORD [RIP+0x8e1cc80]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000773c4d4d 5 bytes {JMP QWORD [RIP+0x8ddb2e4]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!GetKeyState 00000000773c5010 6 bytes {JMP QWORD [RIP+0x903b020]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773c5438 6 bytes {JMP QWORD [RIP+0x8f5abf8]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendMessageW 00000000773c6b50 6 bytes {JMP QWORD [RIP+0x8ed94e0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!PostMessageW 00000000773c76e4 6 bytes JMP c1df3a .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773cdd90 6 bytes {JMP QWORD [RIP+0x8fd22a0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ce874 6 bytes {JMP QWORD [RIP+0x91117bc]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773cf780 6 bytes {JMP QWORD [RIP+0x90d08b0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773d28e4 6 bytes JMP 272122 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!mouse_event 00000000773d3894 6 bytes JMP 80000010 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773d8a10 6 bytes {JMP QWORD [RIP+0x9007620]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773d8be0 6 bytes {JMP QWORD [RIP+0x8ee7450]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773d8c20 6 bytes {JMP QWORD [RIP+0x8d87410]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendInput 00000000773d8cd0 6 bytes {JMP QWORD [RIP+0x8fe7360]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!BlockInput 00000000773dad60 6 bytes {JMP QWORD [RIP+0x90e52d0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774014e0 6 bytes {JMP QWORD [RIP+0x917eb50]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!keybd_event 00000000774245a4 6 bytes {JMP QWORD [RIP+0x8cfba8c]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007742cc08 6 bytes JMP a534eb99 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[1016] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007742df18 6 bytes {JMP QWORD [RIP+0x8ed2118]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 32] .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\atiesrxx.exe[244] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x258ba0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 1ecb6f8 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 1e0e540 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes JMP a2a180 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes JMP 2a3e1f1 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes JMP 4ca2179 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes JMP 76 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes JMP 92cc810 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes JMP 560056 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes JMP 18b24480 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes JMP 1a9a0c81 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes JMP 68 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes JMP 74 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes JMP 78 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes JMP e2137f8 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes JMP 10c12be8 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes JMP 5f006d .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes JMP 7c00 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes JMP 19c51080 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes JMP 10c49f80 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes JMP 18fb4080 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes JMP 93219fa .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes JMP 2980a21 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes JMP 1f5d000 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes JMP 93415ea .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes JMP d739bb9 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes JMP 5c004e .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes JMP fcdf669 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes JMP fcdde81 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes JMP 93839d9 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes JMP 8c16101 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes JMP b562eb8 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes JMP d2ecd11 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes JMP 53005c .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 30242073 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP d1f .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 3bc011f .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff503e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP fe020000 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes JMP 72006f .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 3a0043 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdc38f1c 5 bytes [FF, 25, 14, 71, DA] .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefde522e4 6 bytes {JMP QWORD [RIP+0xb5dd4c]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 2c28fe0 .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP fb332318 .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!GetPixel 000007feff759334 6 bytes JMP 32d0fb61 .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP aab .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP ba200000 .text C:\Windows\system32\AUDIODG.EXE[1160] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1204] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes JMP 117 .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes CALL 3000025 .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\servicing\TrustedInstaller.exe[1304] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 74736c74 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff503e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1844] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 4d68636d .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 730077 .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 70b5000a .text C:\Windows\SysWOW64\svchost.exe[1984] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 70b8000a .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 3bc011f .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000773b6ef0 6 bytes {JMP QWORD [RIP+0x9089140]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000773b8184 6 bytes {JMP QWORD [RIP+0x9167eac]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SetParent 00000000773b8530 6 bytes {JMP QWORD [RIP+0x90a7b00]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000773b9bcc 6 bytes {JMP QWORD [RIP+0x8e06464]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!PostMessageA 00000000773ba404 6 bytes {JMP QWORD [RIP+0x8e45c2c]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!EnableWindow 00000000773baaa0 6 bytes {JMP QWORD [RIP+0x91a5590]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!MoveWindow 00000000773baad0 6 bytes {JMP QWORD [RIP+0x90c5560]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000773bc720 6 bytes {JMP QWORD [RIP+0x9063910]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000773bcd50 6 bytes {JMP QWORD [RIP+0x91432e0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000773bd2b0 6 bytes {JMP QWORD [RIP+0x8e82d80]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendMessageA 00000000773bd338 6 bytes {JMP QWORD [RIP+0x8ec2cf8]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000773bdc40 6 bytes {JMP QWORD [RIP+0x8fa23f0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000773bf510 6 bytes {JMP QWORD [RIP+0x9180b20]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000773bf874 6 bytes {JMP QWORD [RIP+0x8dc07bc]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000773bfac0 6 bytes {JMP QWORD [RIP+0x8f20570]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773c0b74 6 bytes {JMP QWORD [RIP+0x8e9f4bc]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000773c33b0 6 bytes {JMP QWORD [RIP+0x8e1cc80]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000773c4d4d 5 bytes {JMP QWORD [RIP+0x8ddb2e4]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!GetKeyState 00000000773c5010 6 bytes {JMP QWORD [RIP+0x903b020]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773c5438 6 bytes {JMP QWORD [RIP+0x8f5abf8]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendMessageW 00000000773c6b50 6 bytes {JMP QWORD [RIP+0x8ed94e0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!PostMessageW 00000000773c76e4 6 bytes {JMP QWORD [RIP+0x8e5894c]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773cdd90 6 bytes {JMP QWORD [RIP+0x8fd22a0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ce874 6 bytes {JMP QWORD [RIP+0x91117bc]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773cf780 6 bytes {JMP QWORD [RIP+0x90d08b0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773d28e4 6 bytes {JMP QWORD [RIP+0x8f6d74c]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!mouse_event 00000000773d3894 6 bytes {JMP QWORD [RIP+0x8d6c79c]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773d8a10 6 bytes {JMP QWORD [RIP+0x9007620]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773d8be0 6 bytes {JMP QWORD [RIP+0x8ee7450]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773d8c20 6 bytes {JMP QWORD [RIP+0x8d87410]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendInput 00000000773d8cd0 6 bytes {JMP QWORD [RIP+0x8fe7360]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!BlockInput 00000000773dad60 6 bytes {JMP QWORD [RIP+0x90e52d0]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774014e0 6 bytes {JMP QWORD [RIP+0x917eb50]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!keybd_event 00000000774245a4 6 bytes {JMP QWORD [RIP+0x8cfba8c]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007742cc08 6 bytes {JMP QWORD [RIP+0x8f53428]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007742df18 6 bytes {JMP QWORD [RIP+0x8ed2118]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP fe020000 .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes JMP 72006f .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\System32\svchost.exe[2108] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\IoctlSvc.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 54 .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\System32\svchost.exe[2188] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 0 .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 10002 .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000773b6ef0 6 bytes {JMP QWORD [RIP+0x9089140]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000773b8184 6 bytes {JMP QWORD [RIP+0x9167eac]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SetParent 00000000773b8530 6 bytes {JMP QWORD [RIP+0x90a7b00]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000773b9bcc 6 bytes {JMP QWORD [RIP+0x8e06464]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!PostMessageA 00000000773ba404 6 bytes {JMP QWORD [RIP+0x8e45c2c]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!EnableWindow 00000000773baaa0 6 bytes {JMP QWORD [RIP+0x91a5590]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!MoveWindow 00000000773baad0 6 bytes {JMP QWORD [RIP+0x90c5560]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000773bc720 6 bytes {JMP QWORD [RIP+0x9063910]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000773bcd50 6 bytes {JMP QWORD [RIP+0x91432e0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000773bd2b0 6 bytes {JMP QWORD [RIP+0x8e82d80]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendMessageA 00000000773bd338 6 bytes {JMP QWORD [RIP+0x8ec2cf8]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000773bdc40 6 bytes {JMP QWORD [RIP+0x8fa23f0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000773bf510 6 bytes {JMP QWORD [RIP+0x9180b20]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000773bf874 6 bytes {JMP QWORD [RIP+0x8dc07bc]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000773bfac0 6 bytes {JMP QWORD [RIP+0x8f20570]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773c0b74 6 bytes {JMP QWORD [RIP+0x8e9f4bc]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000773c33b0 6 bytes {JMP QWORD [RIP+0x8e1cc80]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000773c4d4d 5 bytes {JMP QWORD [RIP+0x8ddb2e4]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!GetKeyState 00000000773c5010 6 bytes {JMP QWORD [RIP+0x903b020]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773c5438 6 bytes {JMP QWORD [RIP+0x8f5abf8]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendMessageW 00000000773c6b50 6 bytes {JMP QWORD [RIP+0x8ed94e0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!PostMessageW 00000000773c76e4 6 bytes {JMP QWORD [RIP+0x8e5894c]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773cdd90 6 bytes {JMP QWORD [RIP+0x8fd22a0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ce874 6 bytes {JMP QWORD [RIP+0x91117bc]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773cf780 6 bytes {JMP QWORD [RIP+0x90d08b0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773d28e4 6 bytes {JMP QWORD [RIP+0x8f6d74c]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!mouse_event 00000000773d3894 6 bytes {JMP QWORD [RIP+0x8d6c79c]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773d8a10 6 bytes {JMP QWORD [RIP+0x9007620]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773d8be0 6 bytes {JMP QWORD [RIP+0x8ee7450]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773d8c20 6 bytes {JMP QWORD [RIP+0x8d87410]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendInput 00000000773d8cd0 6 bytes {JMP QWORD [RIP+0x8fe7360]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!BlockInput 00000000773dad60 6 bytes {JMP QWORD [RIP+0x90e52d0]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774014e0 6 bytes {JMP QWORD [RIP+0x917eb50]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!keybd_event 00000000774245a4 6 bytes {JMP QWORD [RIP+0x8cfba8c]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007742cc08 6 bytes {JMP QWORD [RIP+0x8f53428]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007742df18 6 bytes {JMP QWORD [RIP+0x8ed2118]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 12a75750 .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 10002 .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text e:\Program Files\Serviio\bin\ServiioService.exe[2300] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70c1000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70c1000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70e2000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70e2000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70cd000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70cd000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70d3000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70d3000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70ca000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70ca000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70fa000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70fa000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d6000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d6000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70ee000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70ee000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70eb000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70eb000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70d0000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70d0000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70bb000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70bb000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 7100000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 7100000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 7103000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 7103000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70df000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70df000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f7000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f7000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70fd000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70fd000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70f1000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70f1000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70f4000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70f4000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c7000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c7000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70be000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70be000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70dc000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70dc000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70c4000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70c4000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d9000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d9000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e8000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e8000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70e5000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70e5000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 715d000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7151000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 710c000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 714b000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7145000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7163000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7112000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7112000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7157000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 712a000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7121000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7121000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7109000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 711e000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 711e000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 715a000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7154000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7160000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 714e000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 710f000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7166000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7139000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 713f000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7148000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7169000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 711b000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 711b000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7136000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7133000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7127000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 712d000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 712d000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7130000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7130000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7115000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7106000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 716c000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 716f000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7142000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 713c000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7118000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7118000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7124000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7124000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 717b000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7172000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7178000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7175000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text e:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70b5000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70b5000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70d6000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70d6000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c1000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c1000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70c7000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70c7000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70be000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70be000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70ee000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70ee000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70ca000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70ca000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e2000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e2000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70df000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70df000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70c4000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70c4000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70af000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70af000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70f4000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70f4000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70f7000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70f7000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d3000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d3000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70eb000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70eb000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f1000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f1000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70e5000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70e5000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70e8000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70e8000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70bb000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70bb000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b2000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b2000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d0000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d0000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70b8000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70b8000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70cd000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70cd000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70dc000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70dc000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70d9000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70d9000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7181000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 7178000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 7184000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 717e000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 717b000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7151000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7145000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7100000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 713f000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7139000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7157000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7106000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7106000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 714b000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 711e000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7115000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7115000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 70fd000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7112000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7112000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 714e000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7148000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7154000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7142000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7103000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 715a000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 712d000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7133000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 713c000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 715d000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 710f000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 710f000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 712a000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7127000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 711b000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7121000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7121000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7124000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7124000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7109000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 70fa000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7160000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7163000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7136000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7130000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 710c000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 710c000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7118000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7118000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 7187000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 716f000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7166000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 716c000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7169000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7172000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 7175000a .text E:\Samsung Drive Manager\SZDrvSvc.exe[2444] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 36] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes CALL 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 36] .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 31] .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\atieclxx.exe[3256] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes JMP e020e51 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes JMP 21c4500 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes JMP bcabcab5 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes JMP e33077f .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes JMP b6a263c4 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes JMP 1 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes JMP 90c2364 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes JMP 4 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes JMP f2b .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes JMP 7e003b5 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes JMP c32e9dd .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes JMP 54c0217 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes JMP d4407a7 .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes JMP 877be4cf .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\SearchIndexer.exe[3268] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 6f2d .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 4e .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes JMP ffffffff .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 200073 .text C:\Windows\system32\Dwm.exe[3624] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes JMP ffcdcfd2 C:\Windows\Explorer.EXE .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 36cb .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 7a0069 .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000773b6ef0 6 bytes {JMP QWORD [RIP+0x9089140]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000773b8184 6 bytes {JMP QWORD [RIP+0x9167eac]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SetParent 00000000773b8530 6 bytes {JMP QWORD [RIP+0x90a7b00]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000773b9bcc 6 bytes {JMP QWORD [RIP+0x8e06464]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!PostMessageA 00000000773ba404 6 bytes {JMP QWORD [RIP+0x8e45c2c]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!EnableWindow 00000000773baaa0 6 bytes {JMP QWORD [RIP+0x91a5590]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!MoveWindow 00000000773baad0 6 bytes {JMP QWORD [RIP+0x90c5560]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000773bc720 6 bytes {JMP QWORD [RIP+0x9063910]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000773bcd50 6 bytes {JMP QWORD [RIP+0x91432e0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000773bd2b0 6 bytes {JMP QWORD [RIP+0x8e82d80]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendMessageA 00000000773bd338 6 bytes {JMP QWORD [RIP+0x8ec2cf8]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000773bdc40 6 bytes {JMP QWORD [RIP+0x8fa23f0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000773bf510 6 bytes {JMP QWORD [RIP+0x9180b20]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000773bf874 6 bytes {JMP QWORD [RIP+0x8dc07bc]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000773bfac0 6 bytes {JMP QWORD [RIP+0x8f20570]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773c0b74 6 bytes {JMP QWORD [RIP+0x8e9f4bc]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000773c33b0 6 bytes {JMP QWORD [RIP+0x8e1cc80]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000773c4d4d 5 bytes {JMP QWORD [RIP+0x8ddb2e4]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!GetKeyState 00000000773c5010 6 bytes {JMP QWORD [RIP+0x903b020]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773c5438 6 bytes {JMP QWORD [RIP+0x8f5abf8]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendMessageW 00000000773c6b50 6 bytes {JMP QWORD [RIP+0x8ed94e0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!PostMessageW 00000000773c76e4 6 bytes {JMP QWORD [RIP+0x8e5894c]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773cdd90 6 bytes {JMP QWORD [RIP+0x8fd22a0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ce874 6 bytes {JMP QWORD [RIP+0x91117bc]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773cf780 6 bytes {JMP QWORD [RIP+0x90d08b0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773d28e4 6 bytes {JMP QWORD [RIP+0x8f6d74c]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!mouse_event 00000000773d3894 6 bytes {JMP QWORD [RIP+0x8d6c79c]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773d8a10 6 bytes {JMP QWORD [RIP+0x9007620]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773d8be0 6 bytes {JMP QWORD [RIP+0x8ee7450]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773d8c20 6 bytes {JMP QWORD [RIP+0x8d87410]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendInput 00000000773d8cd0 6 bytes {JMP QWORD [RIP+0x8fe7360]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!BlockInput 00000000773dad60 6 bytes {JMP QWORD [RIP+0x90e52d0]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774014e0 6 bytes {JMP QWORD [RIP+0x917eb50]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!keybd_event 00000000774245a4 6 bytes {JMP QWORD [RIP+0x8cfba8c]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007742cc08 6 bytes {JMP QWORD [RIP+0x8f53428]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007742df18 6 bytes {JMP QWORD [RIP+0x8ed2118]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdc38f1c 6 bytes {JMP QWORD [RIP+0x1037114]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefde522e4 6 bytes {JMP QWORD [RIP+0xdfdd4c]} .text C:\Windows\Explorer.EXE[3652] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes CALL 3000025 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3376] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 0 .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes CALL 7965acab .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2152] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 2dd720 .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes JMP 470042ff .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2088] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNEL32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP 10002 .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP b30158 .text E:\Program Files (x86)\HTC Home 3\Clock.exe[4224] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 11 .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70b5000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70b5000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70d6000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70d6000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c1000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c1000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70c7000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70c7000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70be000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70be000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70ee000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70ee000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70ca000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70ca000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e2000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e2000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70df000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70df000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70c4000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70c4000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70af000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70af000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70f4000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70f4000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70f7000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70f7000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d3000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d3000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70eb000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70eb000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f1000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f1000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70e5000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70e5000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70e8000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70e8000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70bb000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70bb000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b2000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b2000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d0000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d0000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70b8000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70b8000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70cd000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70cd000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70dc000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70dc000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70d9000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70d9000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7181000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 7178000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 7184000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 717e000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 717b000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7151000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7145000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7100000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 713f000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7139000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7157000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7106000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7106000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 714b000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 711e000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7115000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7115000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 70fd000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7112000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7112000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 714e000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7148000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7154000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7142000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7103000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 715a000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 712d000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7133000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 713c000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 715d000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 710f000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 710f000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 712a000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7127000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 711b000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7121000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7121000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7124000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7124000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7109000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 70fa000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7160000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7163000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7136000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7130000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 710c000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 710c000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7118000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7118000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 7187000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 716f000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7166000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 716c000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7169000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7172000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 7175000a .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\Drive Manager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 7100000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 7100000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7106000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4324] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 70b8000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70b5000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70b5000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70d6000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70d6000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c1000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c1000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70c7000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70c7000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70be000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70be000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70ee000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70ee000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70ca000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70ca000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e2000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e2000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70df000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70df000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70c4000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70c4000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70af000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70af000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70f4000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70f4000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70f7000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70f7000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d3000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d3000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70eb000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70eb000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f1000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f1000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70e5000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70e5000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70e8000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70e8000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70bb000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70bb000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b2000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b2000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d0000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d0000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70b8000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70b8000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70cd000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70cd000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70dc000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70dc000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70d9000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70d9000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7181000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 7178000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 7184000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 717e000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 717b000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7151000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7145000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7100000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 713f000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7139000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7157000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7106000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7106000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 714b000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 711e000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7115000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7115000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 70fd000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7112000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7112000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 714e000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7148000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7154000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7142000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7103000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 715a000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 712d000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7133000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 713c000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 715d000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 710f000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 710f000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 712a000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7127000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 711b000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7121000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7121000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7124000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7124000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7109000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 70fa000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7160000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7163000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7136000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7130000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 710c000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 710c000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7118000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7118000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 7187000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 716f000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7166000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 716c000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7169000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7172000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 7175000a .text E:\Samsung Drive Manager\ABRTMon.exe[4368] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4540] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x258ba0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes JMP 6f2d .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 4e .text C:\Windows\System32\svchost.exe[5040] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes JMP 0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 7100000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 7100000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7106000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 70b2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[968] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7100000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70b2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70b2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70ac000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70ac000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 711e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7115000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7115000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7112000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7100000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 712d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 710f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 710f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 712a000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7127000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 711b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7121000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7121000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7124000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7124000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7106000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7130000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 710c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 710c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[1496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\DllHost.exe[5408] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5192] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 707a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 707a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 709b000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 709b000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 7086000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 7086000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 708c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 708c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 7083000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 7083000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 708f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 708f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70a7000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70a7000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70a4000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70a4000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 7089000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 7089000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 7074000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 7074000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70dd000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70dd000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70e0000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70e0000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 7098000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 7098000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70d3000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70d3000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70da000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70da000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70bf000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70bf000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 7080000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 7080000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 7077000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 7077000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 7095000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 7095000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 707d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 707d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 7092000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 7092000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70a1000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70a1000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 709e000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 709e000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 712e000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 70e9000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7128000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7122000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 70ef000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 70ef000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7134000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7107000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 70fe000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 70fe000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 70e6000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 70fb000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 70fb000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7137000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7131000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 712b000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 70ec000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7116000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 711c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7125000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 70f8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 70f8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7113000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7110000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7104000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 710a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 710a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 710d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 710d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 70f2000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 70e3000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 711f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7119000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 70f5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 70f5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7101000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 5 00000000771a88f0 1 byte [71] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7178000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[2824] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes JMP f9d3300f .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes JMP 580240 .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes JMP 0 .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes JMP 57726f74 .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes JMP ebd5ae58 .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes JMP 6d636315 .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes JMP 80000018 .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes JMP aab .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\shell32.DLL!SHFileOperationW 000007fefdc38f1c 5 bytes [FF, 25, 14, 71, D7] .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\shell32.DLL!SHFileOperation 000007fefde522e4 6 bytes {JMP QWORD [RIP+0xb3dd4c]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\Internet Explorer\iexplore.exe[2024] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000002b850a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 7096000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 7096000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70bf000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70bf000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70a2000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70a2000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70a8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70a8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 709f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 709f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70d7000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70d7000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70ab000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70ab000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70cb000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70cb000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70c8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70c8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70a5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70a5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 7090000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 7090000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70dd000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70dd000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70e0000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70e0000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70b6000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70b6000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70d4000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70d4000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70da000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70da000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70ce000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70ce000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70d1000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70d1000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 709c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 709c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 7093000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 7093000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70b3000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70b3000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 7099000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 7099000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70ae000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70ae000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70c5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70c5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70c2000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70c2000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 712e000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 70e9000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7128000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7122000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 70ef000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 70ef000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7134000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7107000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 70fe000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 70fe000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 70e6000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 70fb000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 70fb000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7137000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7131000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 712b000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 70ec000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7116000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 711c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7125000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 70f8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 70f8000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7113000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7110000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7104000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 710a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 710a000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 710d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 710d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 70f2000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 70e3000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 711f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7119000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 70f5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 70f5000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7101000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 5 00000000771a88f0 1 byte [71] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7178000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[3584] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\wuauclt.exe[6444] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6340] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7124000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7130000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000742c17fa 2 bytes CALL 753911a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000742c1860 2 bytes CALL 753911a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000742c1942 2 bytes JMP 75b07089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000742c194d 2 bytes JMP 75b0cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4768] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskhost.exe[7572] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes JMP 0 .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes CALL 3000025 .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\SearchProtocolHost.exe[8084] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70be000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70be000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70df000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 7100000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 7100000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7184000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717b000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 7187000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 717e000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007503124e 6 bytes JMP 718a000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetWindowLongW 0000000077148332 6 bytes JMP 715a000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 0000000077148bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7109000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000077149679 6 bytes JMP 7148000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7142000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetWinEventHook 000000007714ee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!RegisterHotKey 000000007714efc9 3 bytes JMP 710f000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 710f000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!PostMessageW 00000000771512a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!GetKeyState 000000007715291f 6 bytes JMP 7127000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetParent 0000000077152d64 3 bytes JMP 711e000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetParent + 4 0000000077152d68 2 bytes JMP 711e000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!EnableWindow 0000000077152da4 6 bytes JMP 7106000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!MoveWindow 0000000077153698 3 bytes JMP 711b000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!MoveWindow + 4 000000007715369c 2 bytes JMP 711b000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000077153baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 0000000077153c61 6 bytes JMP 7151000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetWindowLongA 0000000077156110 6 bytes JMP 715d000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendMessageA 000000007715612e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 0000000077156c30 6 bytes JMP 710c000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000077157603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 0000000077157668 6 bytes JMP 7136000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 00000000771576e0 6 bytes JMP 713c000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 000000007715835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 000000007715c4b6 3 bytes JMP 7118000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 7118000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7133000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7130000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7124000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!GetKeyboardState 000000007716ec68 3 bytes JMP 712a000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendInput 000000007716ff4a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendInput + 4 000000007716ff4e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000077189f1d 6 bytes JMP 7112000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!ExitWindowsEx 0000000077191497 6 bytes JMP 7103000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!mouse_event 00000000771a027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!keybd_event 00000000771a02bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 713f000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7139000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!BlockInput 00000000771a7dd7 3 bytes JMP 7115000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7115000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7121000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7121000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7172000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\shell32.DLL!SHFileOperationW 00000000763d9650 6 bytes JMP 70b2000a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1748] C:\Windows\syswow64\shell32.DLL!SHFileOperation 00000000765dbb21 6 bytes JMP 70b5000a .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774d3260 6 bytes {JMP QWORD [RIP+0x8b6cdd0]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774fdca0 6 bytes {JMP QWORD [RIP+0x8b22390]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774fdd70 6 bytes {JMP QWORD [RIP+0x93622c0]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774fde70 6 bytes {JMP QWORD [RIP+0x92021c0]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774fdee0 6 bytes {JMP QWORD [RIP+0x92e2150]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774fdf20 6 bytes {JMP QWORD [RIP+0x92a2110]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774fdfc0 6 bytes {JMP QWORD [RIP+0x9302070]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774fe030 6 bytes {JMP QWORD [RIP+0x9102000]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774fe050 6 bytes {JMP QWORD [RIP+0x9281fe0]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774fe090 6 bytes {JMP QWORD [RIP+0x9181fa0]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774fe0e0 6 bytes {JMP QWORD [RIP+0x91a1f50]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774fe100 6 bytes {JMP QWORD [RIP+0x92c1f30]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774fe2f0 6 bytes {JMP QWORD [RIP+0x93a1d40]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774fe300 6 bytes {JMP QWORD [RIP+0x90c1d30]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774fe400 6 bytes {JMP QWORD [RIP+0x90a1c30]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774fe4d0 6 bytes {JMP QWORD [RIP+0x9221b60]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774fe510 6 bytes {JMP QWORD [RIP+0x9121b20]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774fe580 6 bytes {JMP QWORD [RIP+0x90e1ab0]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774fe5b0 6 bytes {JMP QWORD [RIP+0x9161a80]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774fe610 6 bytes {JMP QWORD [RIP+0x9141a20]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774fe620 6 bytes {JMP QWORD [RIP+0x9321a10]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774fe630 6 bytes {JMP QWORD [RIP+0x9381a00]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774fe9a0 6 bytes {JMP QWORD [RIP+0x9241690]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774fea30 6 bytes {JMP QWORD [RIP+0x9341600]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774ff2a0 6 bytes {JMP QWORD [RIP+0x9260d90]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774ff320 6 bytes {JMP QWORD [RIP+0x91c0d10]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774ff3a0 6 bytes {JMP QWORD [RIP+0x91e0c90]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe[2336] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a1870 6 bytes {JMP QWORD [RIP+0x8e5e7c0]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adbc0 6 bytes {JMP QWORD [RIP+0x8db2470]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f500 6 bytes {JMP QWORD [RIP+0x8d80b30]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f530 6 bytes {JMP QWORD [RIP+0x8dc0b00]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f700 6 bytes {JMP QWORD [RIP+0x8d60930]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254d0 6 bytes {JMP QWORD [RIP+0x8d9ab60]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd574c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd57a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7522cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!BitBlt 000007feff7524c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff755bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff758388 6 bytes {JMP QWORD [RIP+0xb7ca8]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7589c8 6 bytes {JMP QWORD [RIP+0x97668]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!GetPixel 000007feff759334 6 bytes {JMP QWORD [RIP+0xd6cfc]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff75b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff75c8d0 6 bytes {JMP QWORD [RIP+0x153760]} .text C:\Windows\system32\SearchFilterHost.exe[2116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd677490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70bb000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70bb000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70dc000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70dc000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70c7000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70c7000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70cd000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70cd000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70c4000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70c4000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70f4000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70f4000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d0000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d0000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70e8000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70e8000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70e5000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70e5000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70ca000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70ca000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70b5000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70b5000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 70fa000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 70fa000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 70fd000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 70fd000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70d9000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70d9000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f1000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f1000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70f7000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70f7000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70eb000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70eb000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70ee000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70ee000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c1000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c1000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70b8000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70b8000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70d6000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70d6000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70be000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70be000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d3000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d3000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e2000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e2000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70df000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70df000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 7175000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 716c000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7172000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 716f000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 7157000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 714b000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 7106000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 7145000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 713f000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 715d000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 710c000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 710c000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7151000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 7124000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 711b000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 711b000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7103000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 7118000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 7118000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 7154000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 714e000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 715a000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 7148000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 7109000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7160000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7133000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 7139000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7142000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7163000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 7115000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 7115000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7130000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 712d000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7121000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 7127000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 7127000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 712a000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 712a000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 710f000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7100000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 7166000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 7169000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 713c000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 7136000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7112000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7112000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 711e000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 711e000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000763d9650 6 bytes JMP 7178000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000765dbb21 6 bytes JMP 717b000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\Notepad++\notepad++.exe[7752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776afa2c 3 bytes JMP 71af000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776afa30 2 bytes JMP 71af000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000776afb74 3 bytes JMP 70c1000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000776afb78 2 bytes JMP 70c1000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776afcfc 3 bytes JMP 70e2000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776afd00 2 bytes JMP 70e2000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776afdb0 3 bytes JMP 70cd000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776afdb4 2 bytes JMP 70cd000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776afe14 3 bytes JMP 70d3000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776afe18 2 bytes JMP 70d3000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776aff0c 3 bytes JMP 70ca000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776aff10 2 bytes JMP 70ca000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000776affc0 3 bytes JMP 70fa000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000776affc4 2 bytes JMP 70fa000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776afff0 3 bytes JMP 70d6000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776afff4 2 bytes JMP 70d6000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776b0050 3 bytes JMP 70ee000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776b0054 2 bytes JMP 70ee000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776b00d0 3 bytes JMP 70eb000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776b00d4 2 bytes JMP 70eb000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776b0100 3 bytes JMP 70d0000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776b0104 2 bytes JMP 70d0000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776b0404 3 bytes JMP 70bb000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776b0408 2 bytes JMP 70bb000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776b041c 3 bytes JMP 7100000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776b0420 2 bytes JMP 7100000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776b059c 3 bytes JMP 7103000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776b05a0 2 bytes JMP 7103000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776b06e0 3 bytes JMP 70df000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776b06e4 2 bytes JMP 70df000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776b0740 3 bytes JMP 70f7000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776b0744 2 bytes JMP 70f7000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776b07e8 3 bytes JMP 70fd000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776b07ec 2 bytes JMP 70fd000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776b0830 3 bytes JMP 70f1000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776b0834 2 bytes JMP 70f1000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776b08c0 3 bytes JMP 70f4000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776b08c4 2 bytes JMP 70f4000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776b08d8 3 bytes JMP 70c7000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776b08dc 2 bytes JMP 70c7000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776b08f0 3 bytes JMP 70be000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776b08f4 2 bytes JMP 70be000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776b0e40 3 bytes JMP 70dc000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776b0e44 2 bytes JMP 70dc000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776b0f24 3 bytes JMP 70c4000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776b0f28 2 bytes JMP 70c4000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776b1c30 3 bytes JMP 70d9000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776b1c34 2 bytes JMP 70d9000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776b1d00 3 bytes JMP 70e8000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776b1d04 2 bytes JMP 70e8000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776b1dd8 3 bytes JMP 70e5000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776b1ddc 2 bytes JMP 70e5000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776d3bfb 6 bytes JMP 71a8000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753a3bab 3 bytes JMP 719c000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753a3baf 2 bytes JMP 719c000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000753a9aa4 6 bytes JMP 7187000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000753b3b62 6 bytes JMP 717e000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000753bccd1 6 bytes JMP 718a000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007540dc3e 6 bytes JMP 7184000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007540dce1 6 bytes JMP 7181000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075e3f784 6 bytes JMP 719f000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075e42c9e 4 bytes CALL 71ac0000 .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077148332 6 bytes JMP 715d000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077148bff 6 bytes JMP 7151000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000771490d3 6 bytes JMP 710c000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077149679 6 bytes JMP 714b000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000771497d2 6 bytes JMP 7145000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007714ee09 6 bytes JMP 7163000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007714efc9 3 bytes JMP 7112000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007714efcd 2 bytes JMP 7112000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000771512a5 6 bytes JMP 7157000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007715291f 6 bytes JMP 712a000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetParent 0000000077152d64 3 bytes JMP 7121000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077152d68 2 bytes JMP 7121000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077152da4 6 bytes JMP 7109000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077153698 3 bytes JMP 711e000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007715369c 2 bytes JMP 711e000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077153baa 6 bytes JMP 715a000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077153c61 6 bytes JMP 7154000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077156110 6 bytes JMP 7160000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007715612e 6 bytes JMP 714e000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077156c30 6 bytes JMP 710f000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077157603 6 bytes JMP 7166000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077157668 6 bytes JMP 7139000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000771576e0 6 bytes JMP 713f000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007715781f 6 bytes JMP 7148000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007715835c 6 bytes JMP 7169000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007715c4b6 3 bytes JMP 711b000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007715c4ba 2 bytes JMP 711b000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007716c112 6 bytes JMP 7136000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007716d0f5 6 bytes JMP 7133000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007716eb96 6 bytes JMP 7127000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007716ec68 3 bytes JMP 712d000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007716ec6c 2 bytes JMP 712d000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendInput 000000007716ff4a 3 bytes JMP 7130000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007716ff4e 2 bytes JMP 7130000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077189f1d 6 bytes JMP 7115000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000077191497 6 bytes JMP 7106000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!mouse_event 00000000771a027b 6 bytes JMP 716c000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!keybd_event 00000000771a02bf 6 bytes JMP 716f000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000771a6cfc 6 bytes JMP 7142000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000771a6d5d 6 bytes JMP 713c000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!BlockInput 00000000771a7dd7 3 bytes JMP 7118000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000771a7ddb 2 bytes JMP 7118000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000771a88eb 3 bytes JMP 7124000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000771a88ef 2 bytes JMP 7124000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075db58b3 6 bytes JMP 718d000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075db5ea6 6 bytes JMP 717b000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075db7bcc 6 bytes JMP 7196000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075dbb895 6 bytes JMP 7172000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075dbc332 6 bytes JMP 7178000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075dbcbfb 6 bytes JMP 7190000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075dbe743 6 bytes JMP 7193000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075de4857 6 bytes JMP 7175000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759c9d0b 6 bytes JMP 7199000a .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752b1401 2 bytes JMP 753bb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752b1419 2 bytes JMP 753bb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752b1431 2 bytes JMP 75438f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752b144a 2 bytes CALL 7539489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752b14dd 2 bytes JMP 75438822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752b14f5 2 bytes JMP 754389f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752b150d 2 bytes JMP 75438718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752b1525 2 bytes JMP 75438ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752b153d 2 bytes JMP 753afca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752b1555 2 bytes JMP 753b68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752b156d 2 bytes JMP 75438fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752b1585 2 bytes JMP 75438b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752b159d 2 bytes JMP 754386dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752b15b5 2 bytes JMP 753afd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752b15cd 2 bytes JMP 753bb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752b16b2 2 bytes JMP 75438ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe[6936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752b16bd 2 bytes JMP 75438671 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88000e7af1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88000e7acc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88000e7b69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88000e7ba98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88000e7b8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef6f2741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef6f25f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef6f25674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef6f25e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef6f27f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef6f26a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef6f26ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef6f27b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef6f27ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef6f278b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef6f24fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef6f25d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2480] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef6f27584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Windows Sidebar\sidebar.exe[2088] @ C:\Program Files\Windows Sidebar\sidebar.exe[USER32.dll!GetAsyncKeyState] [7feea4b5830] C:\Users\Pacak\AppData\Local\Microsoft\Windows Sidebar\Gadgets\Sidebar7.gadget\Release\Sidebar7.64.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Program Files\Internet Explorer\iexplore.exe[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\advapi32.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\shell32.DLL[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxIndirectW] [7fedd53d840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\shell32.DLL[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!DialogBoxParamA] [7fedd5663e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\iertutil.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\ole32.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\ole32.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\ole32.dll[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\IEFRAME.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxIndirectW] [7fedd53d840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52\comctl32.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52\comctl32.dll[USER32.dll!DialogBoxIndirectParamW] [7fedd566300] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52\comctl32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\comdlg32.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\comdlg32.dll[USER32.dll!DialogBoxIndirectParamW] [7fedd566300] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\comdlg32.dll[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\comdlg32.dll[COMCTL32.dll!PropertySheetW] [7fedd567160] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\comdlg32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\urlmon.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\urlmon.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\WININET.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\Secur32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\CLBCatQ.DLL[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\apphelp.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\mshtml.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\mshtml.dll[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\mshtml.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\mshtml.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\IEUI.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\windowscodecs.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\oleacc.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\explorerframe.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\explorerframe.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\DUser.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\DUI70.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\DUI70.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\MLANG.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\CFGMGR32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\dxgi.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\WINTRUST.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\fwpuclnt.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\credssp.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\schannel.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\bcrypt.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\cryptnet.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\NaturalLanguage6.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\StructuredQuery.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\msxml6.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\LINKINFO.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\ntshrui.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\ntshrui.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\ntshrui.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\srvcli.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\NLSData0000.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\ieapfltr.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\shdocvw.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\shdocvw.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\shdocvw.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\WINHTTP.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\webio.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\MPR.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\NLAapi.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_a4d3b9377117c3df\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_a4d3b9377117c3df\COMCTL32.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_a4d3b9377117c3df\COMCTL32.dll[USER32.dll!DialogBoxIndirectParamW] [7fedd566300] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL[USER32.dll!MessageBoxW] [7fedd566a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\MSVCR90.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895\ATL90.DLL[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\cscui.dll[USER32.dll!EnableWindow] [7fedd523370] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\cscui.dll[USER32.dll!DialogBoxParamW] [7fedd5664e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\cscui.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\System32\CSCDLL.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Windows\system32\tquery.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[2024] @ C:\Program Files\Microsoft Security Client\MpOAv.dll[KERNEL32.dll!GetProcAddress] [7fedd521800] C:\Program Files\Internet Explorer\IEShims.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-6 fffffa8006ac32c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8006ac32c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8006ac32c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8006ac32c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8006ac32c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa8006ac32c0 Device \Driver\aixfcvx2 \Device\Scsi\aixfcvx21 fffffa800832c2c0 Device \Driver\a4abwg2r \Device\Scsi\a4abwg2r1 fffffa80083892c0 Device \FileSystem\Ntfs \Ntfs fffffa8006ad12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{04AE9F5A-D32F-491F-AC6A-7BCBA5FE968B} fffffa8007fc92c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa80083032c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80083192c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa80083192c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{66C9AAF1-B60A-4319-B936-D4D5DE1EB890} fffffa8007fc92c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007ca02c0 Device \Driver\cdrom \Device\CdRom1 fffffa8007ca02c0 Device \Driver\cdrom \Device\CdRom2 fffffa8007ca02c0 Device \Driver\dtsoftbus01 \Device\0000007b fffffa8007a962c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa80083192c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80083192c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80083032c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80083192c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8007a962c0 Device \Driver\dtsoftbus01 \Device\0000007c fffffa8007a962c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa80083032c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa80083192c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80083192c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007fc92c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa80083192c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80083192c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80083032c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8006ac32c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80083192c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8006ac32c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8006ac32c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8006ac32c0 Device \Driver\aixfcvx2 \Device\ScsiPort4 fffffa800832c2c0 Device \Driver\a4abwg2r \Device\ScsiPort5 fffffa80083892c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006ac32c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8006ac32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b4b060] fffffa8007b4b060 Trace 3 CLASSPNP.SYS[fffff880013d043f] -> nt!IofCallDriver -> [0xfffffa80079c09b0] fffffa80079c09b0 Trace 5 ACPI.sys[fffff8800107e7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007a86060] fffffa8007a86060 Trace \Driver\atapi[0xfffffa8006b09e70] -> IRP_MJ_CREATE -> 0xfffffa8006ac32c0 fffffa8006ac32c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\aixfcvx2.SYS fffff8800726a000-fffff880072b6000 (311296 bytes) Module \SystemRoot\System32\Drivers\a4abwg2r.SYS fffff88013d4f000-fffff88013da0000 (331776 bytes) ---- Processes - GMER 2.1 ---- Library C:\Users\Pacak\AppData\Local\Microsoft\Windows Sidebar\Gadgets\Sidebar7.gadget\Release\Sidebar7.64.dll (*** suspicious ***) @ C:\Program Files\Windows Sidebar\sidebar.exe [2088] (7 Sidebar/Helmut Buhler)(2014-09-07 18:52:54) 000007feea4b0000 Process C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe (*** suspicious ***) @ C:\Users\Pacak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8O99AYB\qnqnkjlr.exe [6936](2015-09-03 22:16:14) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0x03 0x87 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 e:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x32 0xBD 0x8D 0xD3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0xA1 0x02 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x65 0xD8 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x16 0xA8 0x7E 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0x03 0x87 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 e:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x32 0xBD 0x8D 0xD3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0xA1 0x02 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x65 0xD8 0x04 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x16 0xA8 0x7E 0x23 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----