GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-06 08:54:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000069 SAMSUNG_ rev.1AJ1 465,76GB Running: o9l9sfwt.exe; Driver: C:\Users\Przemek\AppData\Local\Temp\pxldipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800033b3000 63 bytes [33, C0, B9, 11, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 625 fffff800033b3041 11 bytes JMP fffff8000343cb95 ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771613c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771615c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077016ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077018184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SetParent 0000000077018530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!PostMessageA 000000007701a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!EnableWindow 000000007701aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!MoveWindow 000000007701aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007701c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007701cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007701d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendMessageA 000000007701d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007701dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007701f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007701f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007701fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077020b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077024d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!GetKeyState 0000000077025010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077025438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendMessageW 0000000077026b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!PostMessageW 00000000770276e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007702dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!GetClipboardData 000000007702e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007702f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000770328e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!mouse_event 0000000077033894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077038a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077038be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077038c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendInput 0000000077038cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!BlockInput 000000007703ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000770614e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!keybd_event 00000000770845a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007708cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007708df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771613c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771615c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff116bd0 5 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077016ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077018184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SetParent 0000000077018530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!PostMessageA 000000007701a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!EnableWindow 000000007701aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!MoveWindow 000000007701aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007701c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007701cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007701d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendMessageA 000000007701d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007701dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007701f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007701f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007701fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077020b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077024d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!GetKeyState 0000000077025010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077025438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendMessageW 0000000077026b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!PostMessageW 00000000770276e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007702dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!GetClipboardData 000000007702e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007702f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000770328e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!mouse_event 0000000077033894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077038a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077038be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077038c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendInput 0000000077038cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!BlockInput 000000007703ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000770614e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!keybd_event 00000000770845a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007708cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007708df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec0228 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0378 .text C:\Windows\system32\services.exe[544] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\lsm.exe[576] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff116bd0 5 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0378 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff116bd0 5 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0378 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[424] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff116bd0 5 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0378 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\atieclxx.exe[1140] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007730fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007730fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007730fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007730ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007730ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007730ffe7 2 bytes [D2, 98] .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077310094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077310398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077310674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077310884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077310eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077311c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077311d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1444] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff116bd0 5 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0378 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[1488] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007730fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007730fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007730fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007730ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007730ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007730ffe7 2 bytes [D2, 98] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077310094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077310398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077310674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077310884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077310eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077311c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077311d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007561f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759f8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759f90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759f9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759f97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759fee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759fefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075a012a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SetParent 0000000075a02d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075a02da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075a03698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075a03baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075a03c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075a0612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075a06c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075a07603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075a07668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075a076e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075a0781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075a0835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075a0c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075a1c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075a1d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075a1ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendInput 0000000075a1ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a39f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a41497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a5027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a502bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a56cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a56d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a57dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a588eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075695ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075697bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007569b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007569c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007569cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007569e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000756c4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000753d2538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\AEADISRV.EXE[1692] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1740] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\Dwm.exe[2132] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\Explorer.EXE[2208] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007730fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007730fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007730fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007730ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007730ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007730ffe7 2 bytes [D2, 98] .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077310094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077310398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077310674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077310884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077310eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077311c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077311d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007561f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759f8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759f90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759f9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759f97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759fee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759fefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075a012a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SetParent 0000000075a02d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075a02da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075a03698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075a03baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075a03c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075a0612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075a06c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075a07603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075a07668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075a076e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075a0781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075a0835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075a0c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075a1c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075a1d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075a1ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendInput 0000000075a1ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a39f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a41497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a5027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a502bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a56cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a56d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a57dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a588eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075695ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075697bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007569b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007569c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007569cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007569e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000756c4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000753d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2504] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 000000010025d120 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fc90 5 bytes JMP 000000010026fc20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007730fd44 5 bytes JMP 000000010026e100 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007730fda8 5 bytes JMP 000000010026ed90 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007730fea0 5 bytes JMP 000000010026c3c0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007730ff84 5 bytes JMP 000000010026e7a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007730ffe4 2 bytes JMP 0000000100270080 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007730ffe7 2 bytes [F6, 88] .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310064 5 bytes JMP 000000010026fe40 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077310094 5 bytes JMP 000000010026e400 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077310398 5 bytes JMP 000000010026cde0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 000000010026b670 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077310674 5 bytes JMP 000000010026f8b0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731086c 5 bytes JMP 000000010026bfe0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077310884 5 bytes JMP 000000010026ca40 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310dd4 5 bytes JMP 000000010026f6a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077310eb8 5 bytes JMP 000000010026f220 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311bc4 5 bytes JMP 000000010026f460 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077311c94 5 bytes JMP 000000010026c670 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077311d6c 5 bytes JMP 000000010026f020 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000100267f40 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 000000010025d240 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000100265070 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000100265c00 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000100263ba0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007561f776 5 bytes JMP 000000010025d270 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759f8bff 5 bytes JMP 000000010025b6e0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759f90d3 7 bytes JMP 000000010025c470 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759f9679 5 bytes JMP 000000010025b1a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759f97d2 5 bytes JMP 000000010025ac20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759fee09 5 bytes JMP 000000010025c160 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759fefc9 5 bytes JMP 0000000100258140 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075a012a5 5 bytes JMP 000000010025bc20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 5 bytes JMP 00000001002593d0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SetParent 0000000075a02d64 5 bytes JMP 0000000100258980 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075a02da4 5 bytes JMP 0000000100257ea0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075a03698 5 bytes JMP 0000000100258c20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075a03baa 5 bytes JMP 000000010025bec0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075a03c61 5 bytes JMP 000000010025b980 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075a0612e 5 bytes JMP 000000010025b440 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075a06c30 7 bytes JMP 000000010025c690 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075a07603 5 bytes JMP 000000010025c8b0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075a07668 5 bytes JMP 000000010025a160 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075a076e0 5 bytes JMP 000000010025a6a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075a0781f 5 bytes JMP 000000010025aee0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075a0835c 5 bytes JMP 000000010025cb20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075a0c4b6 5 bytes JMP 0000000100258780 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075a1c112 5 bytes JMP 0000000100259eb0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075a1d0f5 5 bytes JMP 0000000100259c00 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 5 bytes JMP 0000000100259120 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075a1ec68 5 bytes JMP 0000000100259680 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendInput 0000000075a1ff4a 5 bytes JMP 0000000100259930 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a39f1d 5 bytes JMP 0000000100258370 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a41497 5 bytes JMP 0000000100257c90 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a5027b 5 bytes JMP 00000001002697c0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a502bf 5 bytes JMP 00000001002699d0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a56cfc 5 bytes JMP 000000010025a960 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a56d5d 5 bytes JMP 000000010025a400 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a57dd7 5 bytes JMP 0000000100258580 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a588eb 5 bytes JMP 0000000100258f00 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756958b3 5 bytes JMP 0000000100268d10 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075695ea6 5 bytes JMP 0000000100269530 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075697bcc 5 bytes JMP 0000000100269e10 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007569b895 5 bytes JMP 0000000100268d50 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007569c332 5 bytes JMP 0000000100269280 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007569cbfb 5 bytes JMP 0000000100268ae0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007569e743 5 bytes JMP 0000000100269d10 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000756c4646 5 bytes JMP 0000000100268ff0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000753d2538 5 bytes JMP 00000001002644d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007730fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007730fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007730fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007730ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007730ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007730ffe7 2 bytes [D2, 98] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077310094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077310398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077310674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077310884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077310eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077311c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077311d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3016] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007730fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007730fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007730fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007730ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007730ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007730ffe7 2 bytes [D2, 98] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077310094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077310398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077310674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077310884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077310eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077311c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077311d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007561f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000753d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075695ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075697bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007569b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007569c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007569cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007569e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000756c4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759f8bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759f90d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759f9679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759f97d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759fee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759fefc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075a012a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SetParent 0000000075a02d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075a02da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075a03698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075a03baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075a03c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075a0612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075a06c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075a07603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075a07668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075a076e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075a0781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075a0835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075a0c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075a1c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075a1d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075a1ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendInput 0000000075a1ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a39f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a41497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a5027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a502bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a56cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a56d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a57dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a588eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2820] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\SearchIndexer.exe[2748] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3460] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3460] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3460] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077016ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077018184 7 bytes JMP 000000016fff0880 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetParent 0000000077018530 8 bytes JMP 000000016fff0730 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!PostMessageA 000000007701a404 5 bytes JMP 000000016fff0308 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!EnableWindow 000000007701aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!MoveWindow 000000007701aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007701c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007701cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007701d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendMessageA 000000007701d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007701dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007701f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007701f874 9 bytes JMP 000000016fff0298 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007701fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077020b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077024d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!GetKeyState 0000000077025010 5 bytes JMP 000000016fff0688 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077025438 7 bytes JMP 000000016fff0500 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendMessageW 0000000077026b50 5 bytes JMP 000000016fff0420 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!PostMessageW 00000000770276e4 7 bytes JMP 000000016fff0340 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007702dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!GetClipboardData 000000007702e874 5 bytes JMP 000000016fff0810 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007702f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000770328e4 12 bytes JMP 000000016fff0538 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!mouse_event 0000000077033894 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077038a10 8 bytes JMP 000000016fff0650 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077038be0 12 bytes JMP 000000016fff0458 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077038c20 12 bytes JMP 000000016fff0260 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendInput 0000000077038cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!BlockInput 000000007703ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000770614e0 5 bytes JMP 000000016fff0928 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!keybd_event 00000000770845a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007708cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007708df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\System32\svchost.exe[3752] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff03a1a0 7 bytes JMP 000007fffcec0180 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Program Files\Internet Explorer\iexplore.exe[5060] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 0000000100bfd120 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 0000000100c0b670 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000100c07f40 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 0000000100bfd240 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000100c05070 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000100c05c00 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000100c03ba0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\advapi32.DLL!CreateProcessAsUserA 00000000753d2538 5 bytes JMP 0000000100c044d0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756958b3 5 bytes JMP 0000000100c08d10 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075697bcc 5 bytes JMP 0000000100c09e10 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007569cbfb 5 bytes JMP 0000000100c08ae0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007569e743 5 bytes JMP 0000000100c09d10 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075081465 2 bytes [08, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750814bb 2 bytes [08, 75] .text ... * 2 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe[4296] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077133ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077137a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077161400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771615d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077161640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077161680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077161720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771617b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771617f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077161840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077161842 6 bytes {INT1 ; CALL 0xffffffffccccccfe} .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077161860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077161a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077161b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077161c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077161d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077161d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077162100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077162190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077162a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077162a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077162b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 0000000076efa420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000076f11b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000076f88810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd275290 7 bytes JMP 000007fffcec0148 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff2022cc 5 bytes JMP 000007fffcec0260 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!BitBlt 000007feff2024c0 5 bytes JMP 000007fffcec0298 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff205be0 5 bytes JMP 000007fffcec02d0 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff208398 9 bytes JMP 000007fffcec01f0 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff2089c8 9 bytes JMP 000007fffcec01b8 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!GetPixel 000007feff209344 5 bytes JMP 000007fffcec0228 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff20b9e8 5 bytes JMP 000007fffcec0340 .text C:\Windows\system32\AUDIODG.EXE[3928] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff215410 5 bytes JMP 000007fffcec0308 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007730f9c0 5 bytes JMP 000000011001d120 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fc90 5 bytes JMP 000000011002fc20 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007730fd44 5 bytes JMP 000000011002e100 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007730fda8 5 bytes JMP 000000011002ed90 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007730fea0 5 bytes JMP 000000011002c3c0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007730ff84 5 bytes JMP 000000011002e7a0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007730ffe4 2 bytes JMP 0000000110030080 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007730ffe7 2 bytes [D2, 98] .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310064 5 bytes JMP 000000011002fe40 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077310094 5 bytes JMP 000000011002e400 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077310398 5 bytes JMP 000000011002cde0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077310530 5 bytes JMP 000000011002b670 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077310674 5 bytes JMP 000000011002f8b0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731086c 5 bytes JMP 000000011002bfe0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077310884 5 bytes JMP 000000011002ca40 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310dd4 5 bytes JMP 000000011002f6a0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077310eb8 5 bytes JMP 000000011002f220 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311bc4 5 bytes JMP 000000011002f460 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077311c94 5 bytes JMP 000000011002c670 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077311d6c 5 bytes JMP 000000011002f020 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007732c45a 5 bytes JMP 0000000110027f40 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077331217 7 bytes JMP 000000011001d240 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007519103d 5 bytes JMP 0000000110025070 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075191072 5 bytes JMP 0000000110025c00 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000751bc9b5 5 bytes JMP 0000000110023ba0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007561f776 5 bytes JMP 000000011001d270 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759f8bff 5 bytes JMP 000000011001b6e0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759f90d3 7 bytes JMP 000000011001c470 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759f9679 5 bytes JMP 000000011001b1a0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759f97d2 5 bytes JMP 000000011001ac20 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759fee09 5 bytes JMP 000000011001c160 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759fefc9 5 bytes JMP 0000000110018140 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075a012a5 5 bytes JMP 000000011001bc20 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 5 bytes JMP 00000001100193d0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SetParent 0000000075a02d64 5 bytes JMP 0000000110018980 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075a02da4 5 bytes JMP 0000000110017ea0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075a03698 5 bytes JMP 0000000110018c20 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075a03baa 5 bytes JMP 000000011001bec0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075a03c61 5 bytes JMP 000000011001b980 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075a0612e 5 bytes JMP 000000011001b440 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075a06c30 7 bytes JMP 000000011001c690 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075a07603 5 bytes JMP 000000011001c8b0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075a07668 5 bytes JMP 000000011001a160 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075a076e0 5 bytes JMP 000000011001a6a0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075a0781f 5 bytes JMP 000000011001aee0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075a0835c 5 bytes JMP 000000011001cb20 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075a0c4b6 5 bytes JMP 0000000110018780 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075a1c112 5 bytes JMP 0000000110019eb0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075a1d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 5 bytes JMP 0000000110019120 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075a1ec68 5 bytes JMP 0000000110019680 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendInput 0000000075a1ff4a 5 bytes JMP 0000000110019930 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a39f1d 5 bytes JMP 0000000110018370 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a41497 5 bytes JMP 0000000110017c90 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a5027b 5 bytes JMP 00000001100297c0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a502bf 5 bytes JMP 00000001100299d0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a56cfc 5 bytes JMP 000000011001a960 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a56d5d 5 bytes JMP 000000011001a400 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a57dd7 5 bytes JMP 0000000110018580 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a588eb 5 bytes JMP 0000000110018f00 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756958b3 5 bytes JMP 0000000110028d10 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075695ea6 5 bytes JMP 0000000110029530 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075697bcc 5 bytes JMP 0000000110029e10 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007569b895 5 bytes JMP 0000000110028d50 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007569c332 5 bytes JMP 0000000110029280 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007569cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007569e743 5 bytes JMP 0000000110029d10 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000756c4646 5 bytes JMP 0000000110028ff0 .text C:\Users\Przemek\Desktop\o9l9sfwt.exe[3692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000753d2538 5 bytes JMP 00000001100244d0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [1401caad0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [1401cbfb0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\urlmon.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_2b253c8271ec7765\gdiplus.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2452] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3460:3544] 000007fefaf42a7c Thread C:\Windows\System32\svchost.exe [3752:3816] 000007fef03a9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6513326F-FABF-44D5-AD3F-64461FE37501}\Connection@Name isatap.{3F937529-12CE-452D-9709-6DC42FD37196} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{7B36F269-F332-4FA7-BB62-2104A922AC89}?\Device\{8DFFFFC4-2767-427C-AEBC-8F4E12AB5765}?\Device\{6513326F-FABF-44D5-AD3F-64461FE37501}?\Device\{B0F0DDFC-906B-413B-AEED-245DC49EC4B9}?\Device\{4F48BBE8-523A-4B9B-B79E-10553D4EEB23}?\Device\{7CF0B31E-A961-42C1-AE72-C801F2ED81BD}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{7B36F269-F332-4FA7-BB62-2104A922AC89}"?"{8DFFFFC4-2767-427C-AEBC-8F4E12AB5765}"?"{6513326F-FABF-44D5-AD3F-64461FE37501}"?"{B0F0DDFC-906B-413B-AEED-245DC49EC4B9}"?"{4F48BBE8-523A-4B9B-B79E-10553D4EEB23}"?"{7CF0B31E-A961-42C1-AE72-C801F2ED81BD}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{7B36F269-F332-4FA7-BB62-2104A922AC89}?\Device\TCPIP6TUNNEL_{8DFFFFC4-2767-427C-AEBC-8F4E12AB5765}?\Device\TCPIP6TUNNEL_{6513326F-FABF-44D5-AD3F-64461FE37501}?\Device\TCPIP6TUNNEL_{B0F0DDFC-906B-413B-AEED-245DC49EC4B9}?\Device\TCPIP6TUNNEL_{4F48BBE8-523A-4B9B-B79E-10553D4EEB23}?\Device\TCPIP6TUNNEL_{7CF0B31E-A961-42C1-AE72-C801F2ED81BD}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{6513326F-FABF-44D5-AD3F-64461FE37501}@InterfaceName isatap.{3F937529-12CE-452D-9709-6DC42FD37196} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{6513326F-FABF-44D5-AD3F-64461FE37501}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 13309 ---- EOF - GMER 2.1 ----