GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-31 17:54:14 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: xwt40bl2.exe; Driver: C:\Users\ZUAUT\AppData\Local\Temp\pwddikod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800035bd000 45 bytes [00, 00, 1E, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800035bd02f 16 bytes [00, 03, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff880053bcd64 12 bytes {MOV RAX, 0xfffffa8004f232a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779513c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779515c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077806ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077808184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SetParent 0000000077808530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!PostMessageA 000000007780a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!EnableWindow 000000007780aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!MoveWindow 000000007780aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007780c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007780cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007780d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendMessageA 000000007780d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007780dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007780f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007780f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007780fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077810b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077814d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!GetKeyState 0000000077815010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077815438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendMessageW 0000000077816b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!PostMessageW 00000000778176e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007781dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!GetClipboardData 000000007781e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007781f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000778228e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!mouse_event 0000000077823894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077828a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077828be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077828c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendInput 0000000077828cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!BlockInput 000000007782ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000778514e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!keybd_event 00000000778745a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007787cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007787df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779513c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779515c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddb6bd0 5 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077806ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077808184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetParent 0000000077808530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostMessageA 000000007780a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!EnableWindow 000000007780aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!MoveWindow 000000007780aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007780c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007780cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007780d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageA 000000007780d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007780dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007780f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007780f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007780fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077810b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077814d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetKeyState 0000000077815010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077815438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageW 0000000077816b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostMessageW 00000000778176e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007781dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetClipboardData 000000007781e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007781f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000778228e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!mouse_event 0000000077823894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077828a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077828be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077828c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendInput 0000000077828cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!BlockInput 000000007782ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000778514e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!keybd_event 00000000778745a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007787cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007787df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0378 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddb6bd0 5 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0378 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddb6bd0 5 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0378 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddb6bd0 5 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0378 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\spoolsv.exe[1300] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[1336] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddb6bd0 5 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0378 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1488] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fb_inet_server.exe[1896] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\HASPSrv.exe[1960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2240] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Program Files (x86)\XTrack_2\XtrackDemon.exe[2436] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4052] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0378 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\igfxtray.exe[4068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\hkcmd.exe[4080] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\igfxpers.exe[4092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077951490 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Xerox\NetworkScan\NSCSysUI_XEROX.exe[216] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[164] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWOW64\HASPSrvN.exe[1800] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[3576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\System32\svchost.exe[3532] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000010030d120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000010031fc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000010031e100 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000010031ed90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000010031c3c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000010031e7a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000100320080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [82, 88] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000010031fe40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000010031e400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000010031cde0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000010031b670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000010031f8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000010031bfe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000010031ca40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000010031f6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000010031f220 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000010031f460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000010031c670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000010031f020 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000100317f40 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000010030d240 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000100315070 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000100315c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000100313ba0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000010030d270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001003144d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000010030b6e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000010030c470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000010030b1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000010030ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000010030c160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000100308140 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000010030bc20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001003093d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000100308980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000100307ea0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000100308c20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000010030bec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000010030b980 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000010030b440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000010030c690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000010030c8b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000010030a160 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000010030a6a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000010030aee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000010030cb20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000100308780 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000100309eb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000100309c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000100309120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000100309680 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000100309930 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000100308370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000100307c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001003197c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001003199d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000010030a960 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000010030a400 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000100308580 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000100308f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000100318d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000100319530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000100319e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000100318d50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000100319280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000100318ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000100319d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1616] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000100318ff0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe3ca1a0 7 bytes JMP 000007fffd6b0180 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Windows\System32\svchost.exe[3500] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077927a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077951842 6 bytes {JMP 0xfffffffff869f190} .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077701b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000077778810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdaa5290 7 bytes JMP 000007fffd6b0148 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefe8922cc 5 bytes JMP 000007fffd6b0260 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!BitBlt 000007fefe8924c0 5 bytes JMP 000007fffd6b0298 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefe895be0 5 bytes JMP 000007fffd6b02d0 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefe898398 9 bytes JMP 000007fffd6b01f0 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefe8989c8 9 bytes JMP 000007fffd6b01b8 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!GetPixel 000007fefe899344 5 bytes JMP 000007fffd6b0228 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefe89b9e8 5 bytes JMP 000007fffd6b0340 .text C:\Windows\system32\AUDIODG.EXE[3160] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefe8a5410 5 bytes JMP 000007fffd6b0308 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 5 bytes JMP 000000011001d120 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 5 bytes JMP 000000011002fc20 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 5 bytes JMP 000000011002e100 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 5 bytes JMP 000000011002ed90 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 5 bytes JMP 000000011002c3c0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 5 bytes JMP 000000011002e7a0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 2 bytes JMP 0000000110030080 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 0000000077afffe7 2 bytes [53, 98] .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 5 bytes JMP 000000011002fe40 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 5 bytes JMP 000000011002e400 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 5 bytes JMP 000000011002cde0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 5 bytes JMP 000000011002b670 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 5 bytes JMP 000000011002f8b0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 5 bytes JMP 000000011002bfe0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 5 bytes JMP 000000011002ca40 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 5 bytes JMP 000000011002f6a0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 5 bytes JMP 000000011002f220 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 5 bytes JMP 000000011002f460 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 5 bytes JMP 000000011002c670 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 5 bytes JMP 000000011002f020 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b1c45a 5 bytes JMP 0000000110027f40 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 7 bytes JMP 000000011001d240 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760d103d 5 bytes JMP 0000000110025070 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760d1072 5 bytes JMP 0000000110025c00 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000761df776 5 bytes JMP 000000011001d270 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075b88bff 5 bytes JMP 000000011001b6e0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075b890d3 7 bytes JMP 000000011001c470 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075b89679 5 bytes JMP 000000011001b1a0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075b897d2 5 bytes JMP 000000011001ac20 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b8ee09 5 bytes JMP 000000011001c160 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075b8efc9 5 bytes JMP 0000000110018140 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b912a5 5 bytes JMP 000000011001bc20 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075b9291f 5 bytes JMP 00000001100193d0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SetParent 0000000075b92d64 5 bytes JMP 0000000110018980 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075b92da4 5 bytes JMP 0000000110017ea0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075b93698 5 bytes JMP 0000000110018c20 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075b93baa 5 bytes JMP 000000011001bec0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075b93c61 5 bytes JMP 000000011001b980 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075b9612e 5 bytes JMP 000000011001b440 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075b96c30 7 bytes JMP 000000011001c690 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b97603 5 bytes JMP 000000011001c8b0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075b97668 5 bytes JMP 000000011001a160 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075b976e0 5 bytes JMP 000000011001a6a0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075b9781f 5 bytes JMP 000000011001aee0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b9835c 5 bytes JMP 000000011001cb20 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b9c4b6 5 bytes JMP 0000000110018780 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075bac112 5 bytes JMP 0000000110019eb0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075bad0f5 5 bytes JMP 0000000110019c00 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075baeb96 5 bytes JMP 0000000110019120 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075baec68 5 bytes JMP 0000000110019680 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendInput 0000000075baff4a 5 bytes JMP 0000000110019930 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075bc9f1d 5 bytes JMP 0000000110018370 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075bd1497 5 bytes JMP 0000000110017c90 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075be027b 5 bytes JMP 00000001100297c0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075be02bf 5 bytes JMP 00000001100299d0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075be6cfc 5 bytes JMP 000000011001a960 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075be6d5d 5 bytes JMP 000000011001a400 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075be7dd7 5 bytes JMP 0000000110018580 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075be88eb 5 bytes JMP 0000000110018f00 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762358b3 5 bytes JMP 0000000110028d10 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076235ea6 5 bytes JMP 0000000110029530 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076237bcc 5 bytes JMP 0000000110029e10 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007623b895 5 bytes JMP 0000000110028d50 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007623c332 5 bytes JMP 0000000110029280 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007623cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007623e743 5 bytes JMP 0000000110029d10 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076264646 5 bytes JMP 0000000110028ff0 .text C:\Users\ZUAUT\Downloads\gmer\xwt40bl2.exe[3664] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000767d2538 5 bytes JMP 00000001100244d0 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001080650] \SystemRoot\System32\Drivers\spda.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010805dc] \SystemRoot\System32\Drivers\spda.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800104b35c] \SystemRoot\System32\Drivers\spda.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800104b224] \SystemRoot\System32\Drivers\spda.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800104ba24] \SystemRoot\System32\Drivers\spda.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800104bba0] \SystemRoot\System32\Drivers\spda.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [1401caad0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [1401cbfb0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\urlmon.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3084] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80035212c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80035212c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80035212c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80035212c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80035212c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80035212c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80035212c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80035212c0 Device \FileSystem\Ntfs \Ntfs fffffa80035252c0 Device \FileSystem\fastfat \Fat fffffa8005f792c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa8004f772c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8004aa92c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8004f772c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8004aa92c0 Device \Driver\cdrom \Device\CdRom0 fffffa80046932c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8004aa92c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8004aa92c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8004aa92c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8004aa92c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa8004f772c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8004aa92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{17C25681-BC9A-43F8-BD17-FD9448BCBCD2} fffffa80046fc2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8004f772c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8004aa92c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa800351d2c0 Device \Driver\volmgr \Device\FtControl fffffa800351d2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa800351d2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa800351d2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa800351d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80046fc2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8004aa92c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8004aa92c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8004aa92c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80035212c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8004aa92c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80035212c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80035212c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80035212c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80035212c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80035212c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80035212c0]<< spda.sys ataport.SYS pciide.sys fffffa80035212c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800462c060] fffffa800462c060 Trace 3 CLASSPNP.SYS[fffff880013c343f] -> nt!IofCallDriver -> [0xfffffa80043c8520] fffffa80043c8520 Trace 5 ACPI.sys[fffff880011877a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80043c4680] fffffa80043c4680 Trace \Driver\atapi[0xfffffa8004313730] -> IRP_MJ_CREATE -> 0xfffffa80035212c0 fffffa80035212c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1792] 0000000077b32e25 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1508] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1504] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2036] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1500] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1480] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1484] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1496] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1476] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1652] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2052] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2056] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2060] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2064] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2068] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2072] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2076] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2080] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2084] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2088] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2092] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2096] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2100] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2104] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2108] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2112] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2116] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2120] 0000000077b33e45 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2124] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2136] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2140] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2144] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2148] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2152] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2156] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2160] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2164] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2168] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2532] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2536] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:1112] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:3364] 0000000073f729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ASENIZACJA\MSSQL\Binn\sqlservr.exe [1452:2716] 0000000077b33e45 Thread C:\Windows\System32\svchost.exe [4332:4544] 000007fef6799688 ---- Processes - GMER 2.1 ---- Library C:\Users\ZUAUT\Downloads\OTL.exe (*** suspicious ***) @ C:\Users\ZUAUT\Downloads\OTL.exe [3500] 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 ---- Files - GMER 2.1 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\59E12A9D-54A8-489A-BE42-CF4968095E5B.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B89A757A-12B4-4D35-AFD4-E192EEAA7080.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\012D04CF-0563-4AFC-9318-2DDB9AA13B6A.data 61 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\012D04CF-0563-4AFC-9318-2DDB9AA13B6A.data.info 80 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\057D766A-68E8-41DD-A4AE-47C263024E32.data 35281 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\057D766A-68E8-41DD-A4AE-47C263024E32.data.info 216 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1C84E964-ED05-4780-9F30-3EDDE720C97D.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1C84E964-ED05-4780-9F30-3EDDE720C97D.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\22AD39D7-8064-4AA0-BB15-4C7E94533E29.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\22AD39D7-8064-4AA0-BB15-4C7E94533E29.data.info 96 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2E16A1ED-EE0E-4950-B6EB-548F752015AD.data 162816 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2E16A1ED-EE0E-4950-B6EB-548F752015AD.data.info 80 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\37851261-3BB2-4483-A606-4F7A22BB3B96.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\37851261-3BB2-4483-A606-4F7A22BB3B96.data.info 96 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\59E12A9D-54A8-489A-BE42-CF4968095E5B.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BC47852B-6B69-4231-8336-C2BCA2BFAFF1.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BC47852B-6B69-4231-8336-C2BCA2BFAFF1.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BF4E88AE-FE7D-4AE4-8A58-6E2DF735BA9C.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BF4E88AE-FE7D-4AE4-8A58-6E2DF735BA9C.data.info 106 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CB3A2C7B-7FB1-46FF-AADF-E51DA02CF31B.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CB3A2C7B-7FB1-46FF-AADF-E51DA02CF31B.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CC5EB170-5BB5-4E3B-BB7E-94686437DDB6.data 3787456 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CC5EB170-5BB5-4E3B-BB7E-94686437DDB6.data.info 174 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E6F6FD29-AD77-42B2-B7C0-70D107FFCD3D.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E6F6FD29-AD77-42B2-B7C0-70D107FFCD3D.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F426AC62-218A-4727-8D18-87049000550E.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F426AC62-218A-4727-8D18-87049000550E.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\Low 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\987B2D0E-2E92-4D5E-B0DC-2DDFC3D341EE.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\987B2D0E-2E92-4D5E-B0DC-2DDFC3D341EE.data.info 92 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9F339961-2D69-4C53-AD70-117A146492B3.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\9F339961-2D69-4C53-AD70-117A146492B3.data.info 100 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B82C0C53-21D7-4398-8A46-4E6669C5B66F.data 38400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B82C0C53-21D7-4398-8A46-4E6669C5B66F.data.info 94 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B89A757A-12B4-4D35-AFD4-E192EEAA7080.data 38400 bytes executable ---- EOF - GMER 2.1 ----