GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-16 09:30:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000068 SAMSUNG_ rev.1AJ1 465,76GB Running: c6gzxyr2.exe; Driver: C:\Users\Przemek\AppData\Local\Temp\pxldipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800033fc000 64 bytes [00, 00, 71, 00, 41, 66, 64, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 626 fffff800033fc042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774e13c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774e15c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077396ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077398184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SetParent 0000000077398530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!PostMessageA 000000007739a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!EnableWindow 000000007739aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!MoveWindow 000000007739aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007739c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007739cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007739d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendMessageA 000000007739d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007739dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007739f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007739f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007739fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773a0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000773a4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!GetKeyState 00000000773a5010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773a5438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendMessageW 00000000773a6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!PostMessageW 00000000773a76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773add90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ae874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773af780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773b28e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!mouse_event 00000000773b3894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773b8a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773b8be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773b8c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendInput 00000000773b8cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!BlockInput 00000000773bad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773e14e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!keybd_event 00000000774045a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007740cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007740df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774e13c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774e15c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd776bd0 5 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077396ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077398184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetParent 0000000077398530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostMessageA 000000007739a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!EnableWindow 000000007739aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!MoveWindow 000000007739aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007739c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007739cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007739d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageA 000000007739d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007739dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007739f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007739f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007739fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773a0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000773a4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetKeyState 00000000773a5010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773a5438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageW 00000000773a6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostMessageW 00000000773a76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773add90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ae874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773af780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773b28e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!mouse_event 00000000773b3894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773b8a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773b8be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773b8c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendInput 00000000773b8cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!BlockInput 00000000773bad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773e14e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!keybd_event 00000000774045a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007740cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007740df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd240308 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd240228 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240378 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240340 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\lsm.exe[604] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd776bd0 5 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240378 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd776bd0 5 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240378 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd776bd0 5 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240378 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007768ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007768ffe7 2 bytes [9A, 98] .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077690094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077690398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077690674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077690884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776ac45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776b1217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000751f103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000751f1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007521c9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd776bd0 5 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240378 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007768ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007768ffe7 2 bytes [9A, 98] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077690094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077690398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077690674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077690884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776ac45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776b1217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000751f103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000751f1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007521c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000760df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075b6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075b6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075b6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075b6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendInput 0000000075b6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075ba027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075ba02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075ba6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075ba6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075ba7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075ba88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076135ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076137bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007613b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007613c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007613cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007613e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076164646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1628] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075852538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\AEADISRV.EXE[1668] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1700] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\taskhost.exe[2260] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2700] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007768ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007768ffe7 2 bytes [9A, 98] .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077690094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077690398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077690674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077690884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776ac45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776b1217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000751f103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000751f1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007521c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000760df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075b6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075b6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075b6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075b6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendInput 0000000075b6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075ba027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075ba02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075ba6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075ba6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075ba7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075ba88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076135ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076137bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007613b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007613c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007613cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007613e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076164646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe[1960] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075852538 5 bytes JMP 00000001100244d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Program Files\Windows Sidebar\sidebar.exe[2320] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9c0 5 bytes JMP 000000010025d120 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fc90 5 bytes JMP 000000010026fc20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd44 5 bytes JMP 000000010026e100 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fda8 5 bytes JMP 000000010026ed90 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fea0 5 bytes JMP 000000010026c3c0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ff84 5 bytes JMP 000000010026e7a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007768ffe4 2 bytes JMP 0000000100270080 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007768ffe7 2 bytes [BE, 88] .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690064 5 bytes JMP 000000010026fe40 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077690094 5 bytes JMP 000000010026e400 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077690398 5 bytes JMP 000000010026cde0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690530 5 bytes JMP 000000010026b670 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077690674 5 bytes JMP 000000010026f8b0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769086c 5 bytes JMP 000000010026bfe0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077690884 5 bytes JMP 000000010026ca40 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690dd4 5 bytes JMP 000000010026f6a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690eb8 5 bytes JMP 000000010026f220 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bc4 5 bytes JMP 000000010026f460 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691c94 5 bytes JMP 000000010026c670 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d6c 5 bytes JMP 000000010026f020 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776ac45a 5 bytes JMP 0000000100267f40 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776b1217 7 bytes JMP 000000010025d240 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000751f103d 5 bytes JMP 0000000100265070 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000751f1072 5 bytes JMP 0000000100265c00 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007521c9b5 5 bytes JMP 0000000100263ba0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000760df776 5 bytes JMP 000000010025d270 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b48bff 5 bytes JMP 000000010025b6e0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b490d3 7 bytes JMP 000000010025c470 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b49679 5 bytes JMP 000000010025b1a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b497d2 5 bytes JMP 000000010025ac20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 000000010025c160 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b4efc9 5 bytes JMP 0000000100258140 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b512a5 5 bytes JMP 000000010025bc20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b5291f 5 bytes JMP 00000001002593d0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b52d64 5 bytes JMP 0000000100258980 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b52da4 5 bytes JMP 0000000100257ea0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b53698 5 bytes JMP 0000000100258c20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b53baa 5 bytes JMP 000000010025bec0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b53c61 5 bytes JMP 000000010025b980 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b5612e 5 bytes JMP 000000010025b440 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b56c30 7 bytes JMP 000000010025c690 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 000000010025c8b0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b57668 5 bytes JMP 000000010025a160 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b576e0 5 bytes JMP 000000010025a6a0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b5781f 5 bytes JMP 000000010025aee0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 000000010025cb20 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b5c4b6 5 bytes JMP 0000000100258780 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075b6c112 5 bytes JMP 0000000100259eb0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075b6d0f5 5 bytes JMP 0000000100259c00 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075b6eb96 5 bytes JMP 0000000100259120 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075b6ec68 5 bytes JMP 0000000100259680 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendInput 0000000075b6ff4a 5 bytes JMP 0000000100259930 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b89f1d 5 bytes JMP 0000000100258370 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b91497 5 bytes JMP 0000000100257c90 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075ba027b 5 bytes JMP 00000001002697c0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075ba02bf 5 bytes JMP 00000001002699d0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075ba6cfc 5 bytes JMP 000000010025a960 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075ba6d5d 5 bytes JMP 000000010025a400 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075ba7dd7 5 bytes JMP 0000000100258580 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075ba88eb 5 bytes JMP 0000000100258f00 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761358b3 5 bytes JMP 0000000100268d10 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076135ea6 5 bytes JMP 0000000100269530 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076137bcc 5 bytes JMP 0000000100269e10 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007613b895 5 bytes JMP 0000000100268d50 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007613c332 5 bytes JMP 0000000100269280 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007613cbfb 5 bytes JMP 0000000100268ae0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007613e743 5 bytes JMP 0000000100269d10 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076164646 5 bytes JMP 0000000100268ff0 .text C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe[3572] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075852538 5 bytes JMP 00000001002644d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007768ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007768ffe7 2 bytes [9A, 98] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077690094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077690398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077690674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077690884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776ac45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776b1217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000751f103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000751f1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007521c9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b48bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b490d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b49679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b497d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b4efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b512a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b5291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b52d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b52da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b53698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b53baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b53c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b5612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b56c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b57668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b576e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b5781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b5c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075b6c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075b6d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075b6eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075b6ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendInput 0000000075b6ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b89f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b91497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075ba027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075ba02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075ba6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075ba6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075ba7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3608] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075ba88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3796] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3796] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077396ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077398184 7 bytes JMP 000000016fff0880 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SetParent 0000000077398530 8 bytes JMP 000000016fff0730 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!PostMessageA 000000007739a404 5 bytes JMP 000000016fff0308 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!EnableWindow 000000007739aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!MoveWindow 000000007739aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007739c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007739cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007739d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendMessageA 000000007739d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007739dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007739f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007739f874 9 bytes JMP 000000016fff0298 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007739fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773a0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000773a4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!GetKeyState 00000000773a5010 5 bytes JMP 000000016fff0688 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773a5438 7 bytes JMP 000000016fff0500 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendMessageW 00000000773a6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!PostMessageW 00000000773a76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773add90 5 bytes JMP 000000016fff05e0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ae874 5 bytes JMP 000000016fff0810 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773af780 8 bytes JMP 000000016fff07a0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773b28e4 12 bytes JMP 000000016fff0538 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!mouse_event 00000000773b3894 7 bytes JMP 000000016fff0228 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773b8a10 8 bytes JMP 000000016fff0650 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773b8be0 12 bytes JMP 000000016fff0458 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773b8c20 12 bytes JMP 000000016fff0260 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendInput 00000000773b8cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!BlockInput 00000000773bad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773e14e0 5 bytes JMP 000000016fff0928 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!keybd_event 00000000774045a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007740cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\Explorer.EXE[540] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007740df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\System32\svchost.exe[3400] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077396ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077398184 7 bytes JMP 000000016fff0880 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SetParent 0000000077398530 8 bytes JMP 000000016fff0730 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!PostMessageA 000000007739a404 5 bytes JMP 000000016fff0308 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!EnableWindow 000000007739aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!MoveWindow 000000007739aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007739c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007739cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007739d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendMessageA 000000007739d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007739dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007739f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007739f874 9 bytes JMP 000000016fff0298 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007739fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000773a0b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000773a4d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!GetKeyState 00000000773a5010 5 bytes JMP 000000016fff0688 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000773a5438 7 bytes JMP 000000016fff0500 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendMessageW 00000000773a6b50 5 bytes JMP 000000016fff0420 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!PostMessageW 00000000773a76e4 7 bytes JMP 000000016fff0340 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000773add90 5 bytes JMP 000000016fff05e0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!GetClipboardData 00000000773ae874 5 bytes JMP 000000016fff0810 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000773af780 8 bytes JMP 000000016fff07a0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773b28e4 12 bytes JMP 000000016fff0538 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!mouse_event 00000000773b3894 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000773b8a10 8 bytes JMP 000000016fff0650 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000773b8be0 12 bytes JMP 000000016fff0458 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773b8c20 12 bytes JMP 000000016fff0260 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendInput 00000000773b8cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!BlockInput 00000000773bad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773e14e0 5 bytes JMP 000000016fff0928 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!keybd_event 00000000774045a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007740cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007740df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Windows\System32\svchost.exe[4872] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe13a1a0 7 bytes JMP 000007fffd240180 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774b3ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774b7a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774e1400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774e15d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774e1640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774e1680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774e1720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774e17b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774e17f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774e1840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000774e1842 6 bytes {JMP 0xfffffffff8b0f190} .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774e1860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774e1a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774e1b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774e1c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774e1d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774e1d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774e2100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774e2190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774e2a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774e2a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774e2b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 000000007727a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077291b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000077308810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd345290 7 bytes JMP 000007fffd240148 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefdfe22cc 5 bytes JMP 000007fffd240260 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!BitBlt 000007fefdfe24c0 5 bytes JMP 000007fffd240298 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefdfe5be0 5 bytes JMP 000007fffd2402d0 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefdfe8398 9 bytes JMP 000007fffd2401f0 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefdfe89c8 9 bytes JMP 000007fffd2401b8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!GetPixel 000007fefdfe9344 5 bytes JMP 000007fffd240228 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefdfeb9e8 5 bytes JMP 000007fffd240340 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefdff5410 3 bytes JMP 000007fffd240308 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!PlgBlt + 4 000007fefdff5414 1 byte [FF] .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007768f9c0 5 bytes JMP 000000011001d120 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fc90 5 bytes JMP 000000011002fc20 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007768fd44 5 bytes JMP 000000011002e100 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007768fda8 5 bytes JMP 000000011002ed90 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007768fea0 5 bytes JMP 000000011002c3c0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007768ff84 5 bytes JMP 000000011002e7a0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007768ffe4 2 bytes JMP 0000000110030080 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007768ffe7 2 bytes [9A, 98] .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690064 5 bytes JMP 000000011002fe40 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077690094 5 bytes JMP 000000011002e400 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077690398 5 bytes JMP 000000011002cde0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077690530 5 bytes JMP 000000011002b670 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077690674 5 bytes JMP 000000011002f8b0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769086c 5 bytes JMP 000000011002bfe0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077690884 5 bytes JMP 000000011002ca40 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690dd4 5 bytes JMP 000000011002f6a0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077690eb8 5 bytes JMP 000000011002f220 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691bc4 5 bytes JMP 000000011002f460 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077691c94 5 bytes JMP 000000011002c670 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077691d6c 5 bytes JMP 000000011002f020 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000776ac45a 5 bytes JMP 0000000110027f40 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776b1217 7 bytes JMP 000000011001d240 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000751f103d 5 bytes JMP 0000000110025070 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000751f1072 5 bytes JMP 0000000110025c00 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007521c9b5 5 bytes JMP 0000000110023ba0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000760df776 5 bytes JMP 000000011001d270 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b48bff 5 bytes JMP 000000011001b6e0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b490d3 7 bytes JMP 000000011001c470 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b49679 5 bytes JMP 000000011001b1a0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b497d2 5 bytes JMP 000000011001ac20 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 000000011001c160 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b4efc9 5 bytes JMP 0000000110018140 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b512a5 5 bytes JMP 000000011001bc20 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b5291f 5 bytes JMP 00000001100193d0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b52d64 5 bytes JMP 0000000110018980 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b52da4 5 bytes JMP 0000000110017ea0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b53698 5 bytes JMP 0000000110018c20 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b53baa 5 bytes JMP 000000011001bec0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b53c61 5 bytes JMP 000000011001b980 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b5612e 5 bytes JMP 000000011001b440 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b56c30 7 bytes JMP 000000011001c690 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 000000011001c8b0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b57668 5 bytes JMP 000000011001a160 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b576e0 5 bytes JMP 000000011001a6a0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b5781f 5 bytes JMP 000000011001aee0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 000000011001cb20 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b5c4b6 5 bytes JMP 0000000110018780 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075b6c112 5 bytes JMP 0000000110019eb0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075b6d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075b6eb96 5 bytes JMP 0000000110019120 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075b6ec68 5 bytes JMP 0000000110019680 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendInput 0000000075b6ff4a 5 bytes JMP 0000000110019930 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b89f1d 5 bytes JMP 0000000110018370 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b91497 5 bytes JMP 0000000110017c90 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075ba027b 5 bytes JMP 00000001100297c0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075ba02bf 5 bytes JMP 00000001100299d0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075ba6cfc 5 bytes JMP 000000011001a960 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075ba6d5d 5 bytes JMP 000000011001a400 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075ba7dd7 5 bytes JMP 0000000110018580 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075ba88eb 5 bytes JMP 0000000110018f00 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761358b3 5 bytes JMP 0000000110028d10 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076135ea6 5 bytes JMP 0000000110029530 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076137bcc 5 bytes JMP 0000000110029e10 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007613b895 5 bytes JMP 0000000110028d50 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007613c332 5 bytes JMP 0000000110029280 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007613cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007613e743 5 bytes JMP 0000000110029d10 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076164646 5 bytes JMP 0000000110028ff0 .text C:\Users\Przemek\Desktop\c6gzxyr2.exe[3920] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075852538 5 bytes JMP 00000001100244d0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [1401caad0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [1401cbfb0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\urlmon.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3040] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [4872:5040] 000007fef6c99688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{181C6B8A-E5E7-4C1E-B243-A5952F1FDD36}\Connection@Name isatap.{3F937529-12CE-452D-9709-6DC42FD37196} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{BC96E10C-B062-41F5-BCEA-504140574133}?\Device\{29D1343C-FE26-4279-8C71-723BAD984F3D}?\Device\{181C6B8A-E5E7-4C1E-B243-A5952F1FDD36}?\Device\{3EE9DD99-619B-47DD-BBA1-3790C4B5D8B9}?\Device\{4F48BBE8-523A-4B9B-B79E-10553D4EEB23}?\Device\{7CF0B31E-A961-42C1-AE72-C801F2ED81BD}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{BC96E10C-B062-41F5-BCEA-504140574133}"?"{29D1343C-FE26-4279-8C71-723BAD984F3D}"?"{181C6B8A-E5E7-4C1E-B243-A5952F1FDD36}"?"{3EE9DD99-619B-47DD-BBA1-3790C4B5D8B9}"?"{4F48BBE8-523A-4B9B-B79E-10553D4EEB23}"?"{7CF0B31E-A961-42C1-AE72-C801F2ED81BD}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{BC96E10C-B062-41F5-BCEA-504140574133}?\Device\TCPIP6TUNNEL_{29D1343C-FE26-4279-8C71-723BAD984F3D}?\Device\TCPIP6TUNNEL_{181C6B8A-E5E7-4C1E-B243-A5952F1FDD36}?\Device\TCPIP6TUNNEL_{3EE9DD99-619B-47DD-BBA1-3790C4B5D8B9}?\Device\TCPIP6TUNNEL_{4F48BBE8-523A-4B9B-B79E-10553D4EEB23}?\Device\TCPIP6TUNNEL_{7CF0B31E-A961-42C1-AE72-C801F2ED81BD}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{181C6B8A-E5E7-4C1E-B243-A5952F1FDD36}@InterfaceName isatap.{3F937529-12CE-452D-9709-6DC42FD37196} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{181C6B8A-E5E7-4C1E-B243-A5952F1FDD36}@ReusableType 0 ---- EOF - GMER 2.1 ----