GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-31 10:43:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-001CA0 rev.15.01H15 465,76GB Running: 85k1xej1.exe; Driver: C:\Users\Dom\AppData\Local\Temp\uxriqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800035ae000 30 bytes [75, 72, 44, 38, 94, 24, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 591 fffff800035ae01f 16 bytes [49, 3B, D2, 48, 0F, 44, D1, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88006ba7d64 12 bytes {MOV RAX, 0xfffffa80067062a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776813c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776815c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077416ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077418184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SetParent 0000000077418530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!PostMessageA 000000007741a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!EnableWindow 000000007741aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!MoveWindow 000000007741aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007741c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007741cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007741d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendMessageA 000000007741d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007741dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007741f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007741f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007741fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077420b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077424d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!GetKeyState 0000000077425010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077425438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendMessageW 0000000077426b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!PostMessageW 00000000774276e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007742dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!GetClipboardData 000000007742e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007742f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774328e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!mouse_event 0000000077433894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077438a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077438be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077438c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendInput 0000000077438cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!BlockInput 000000007743ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774614e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!keybd_event 00000000774845a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007748cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007748df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776813c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776815c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe196bd0 3 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx + 4 000007fefe196bd4 1 byte [FF] .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077416ef0 8 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077418184 7 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SetParent 0000000077418530 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!PostMessageA 000000007741a404 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!EnableWindow 000000007741aaa0 9 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!MoveWindow 000000007741aad0 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007741c720 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007741cd50 8 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007741d2b0 5 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendMessageA 000000007741d338 5 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007741dc40 9 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007741f510 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007741f874 9 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007741fac0 9 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077420b74 10 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077424d4c 5 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!GetKeyState 0000000077425010 5 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077425438 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendMessageW 0000000077426b50 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!PostMessageW 00000000774276e4 7 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007742dd90 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!GetClipboardData 000000007742e874 5 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007742f780 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774328e4 12 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!mouse_event 0000000077433894 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077438a10 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077438be0 12 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077438c20 12 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendInput 0000000077438cd0 8 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!BlockInput 000000007743ad60 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774614e0 5 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!keybd_event 00000000774845a4 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007748cc08 5 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007748df18 7 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0378 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\lsm.exe[588] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe196bd0 3 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx + 4 000007fefe196bd4 1 byte [FF] .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0378 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\nvvsvc.exe[768] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[792] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe196bd0 3 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx + 4 000007fefe196bd4 1 byte [FF] .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0378 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe196bd0 3 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx + 4 000007fefe196bd4 1 byte [FF] .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0378 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1340] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\nvvsvc.exe[1348] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe196bd0 3 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx + 4 000007fefe196bd4 1 byte [FF] .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0378 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefde445c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\ws2_32.dll!getsockname 000007fefde49480 6 bytes {JMP QWORD [RIP-0x7fed941e]} .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefde6e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[1716] C:\Windows\system32\ws2_32.dll!getpeername 000007fefde6e450 6 bytes {JMP QWORD [RIP-0x7fefe3be]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefde445c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\ws2_32.dll!getsockname 000007fefde49480 6 bytes {JMP QWORD [RIP-0x7fed941e]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefde6e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\ws2_32.dll!getpeername 000007fefde6e450 6 bytes {JMP QWORD [RIP-0x7fefe3be]} .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1864] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1896] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefde445c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\WS2_32.dll!getsockname 000007fefde49480 6 bytes {JMP QWORD [RIP-0x7fed941e]} .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefde6e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[1944] C:\Windows\system32\WS2_32.dll!getpeername 000007fefde6e450 6 bytes {JMP QWORD [RIP-0x7fefe3be]} .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text D:\SMITE Beta\HiPatchService.exe[1004] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2072] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2132] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000770230af 5 bytes JMP 0000000100bb008d .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\WS2_32.dll!connect 0000000077026bdd 5 bytes JMP 0000000100bb002d .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000077027147 5 bytes JMP 0000000100bb00bd .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2240] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007702cc3f 5 bytes JMP 0000000100bb005d .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 000000006b831a22 2 bytes [83, 6B] .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 000000006b831ad0 2 bytes [83, 6B] .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 000000006b831b08 2 bytes [83, 6B] .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 000000006b831bba 2 bytes [83, 6B] .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 000000006b831bda 2 bytes [83, 6B] .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[2384] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\viakaraokesrv.exe[2424] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2596] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\rundll32.exe[3032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2672] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2768] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000770230af 5 bytes JMP 000000010361008d .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\WS2_32.dll!connect 0000000077026bdd 5 bytes JMP 000000010361002d .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000077027147 5 bytes JMP 00000001036100bd .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007702cc3f 5 bytes JMP 000000010361005d .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2868] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\svchost.exe[2952] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefde445c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\WS2_32.dll!getsockname 000007fefde49480 6 bytes {JMP QWORD [RIP-0x7fed941e]} .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefde6e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[3348] C:\Windows\system32\WS2_32.dll!getpeername 000007fefde6e450 6 bytes {JMP QWORD [RIP-0x7fefe3be]} .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3740] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077681490 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000770230af 5 bytes JMP 000000010020008d .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\WS2_32.dll!connect 0000000077026bdd 5 bytes JMP 000000010020002d .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000077027147 5 bytes JMP 00000001002000bd .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007702cc3f 5 bytes JMP 000000010020005d .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007782000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000778af85a 5 bytes JMP 000000017785d571 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000770230af 5 bytes JMP 0000000100fe008d .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\WS2_32.dll!connect 0000000077026bdd 5 bytes JMP 0000000100fe002d .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000077027147 5 bytes JMP 0000000100fe00bd .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3092] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007702cc3f 5 bytes JMP 0000000100fe005d .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000770230af 5 bytes JMP 000000010029008d .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\WS2_32.dll!connect 0000000077026bdd 5 bytes JMP 000000010029002d .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000077027147 5 bytes JMP 00000001002900bd .text C:\Users\Dom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3832] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007702cc3f 5 bytes JMP 000000010029005d .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000010048d120 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000010049fc20 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000010049e100 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000010049ed90 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000010049c3c0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000010049e7a0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 00000001004a0080 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [C7, 88] .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000010049fe40 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000010049e400 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000010049cde0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000010049b670 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000010049f8b0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000010049bfe0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000010049ca40 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000010049f6a0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000010049f220 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000010049f460 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000010049c670 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000010049f020 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000100497f40 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000010048d240 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000100495070 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000100495c00 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000100493ba0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000010048d270 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000010048b6e0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000010048c470 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000010048b1a0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000010048ac20 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000010048c160 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000100488140 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000010048bc20 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001004893d0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000100488980 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000100487ea0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000100488c20 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000010048bec0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000010048b980 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000010048b440 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000010048c690 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000010048c8b0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000010048a160 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000010048a6a0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000010048aee0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000010048cb20 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000100488780 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000100489eb0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000100489c00 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000100489120 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000100489680 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000100489930 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000100488370 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000100487c90 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001004997c0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001004999d0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000010048a960 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000010048a400 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000100488580 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000100488f00 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000100498d10 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000100499530 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000100499e10 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000100498d50 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000100499280 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000100498ae0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000100499d10 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000100498ff0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001004944d0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Users\Dom\AppData\Local\Skillbrains\lightshot\4.4.2.0\LightShot.exe[3396] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000770230af 5 bytes JMP 00000001002f008d .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\WS2_32.dll!connect 0000000077026bdd 5 bytes JMP 00000001002f002d .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000077027147 5 bytes JMP 00000001002f00bd .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[3292] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007702cc3f 5 bytes JMP 00000001002f005d .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3836] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3200] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3504] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0378 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\conhost.exe[3436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0308 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e0340 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e03b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0378 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefde445c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\ws2_32.dll!getsockname 000007fefde49480 6 bytes {JMP QWORD [RIP-0x7fed941e]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefde6e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3256] C:\Windows\system32\ws2_32.dll!getpeername 000007fefde6e450 6 bytes {JMP QWORD [RIP-0x7fefe3be]} .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f11465 2 bytes [F1, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f114bb 2 bytes [F1, 76] .text ... * 2 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[4064] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\SearchIndexer.exe[4948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2732] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2732] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2732] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4744] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\System32\svchost.exe[3144] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff8aa1a0 7 bytes JMP 000007fffd3e0180 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\DllHost.exe[3272] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefde445c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\ws2_32.dll!getsockname 000007fefde49480 6 bytes {JMP QWORD [RIP-0x7fed941e]} .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefde6e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\wuauclt.exe[4556] C:\Windows\system32\ws2_32.dll!getpeername 000007fefde6e450 6 bytes {JMP QWORD [RIP-0x7fefe3be]} .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077653ae0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077657a90 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077681400 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776815d0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077681640 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077681680 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077681720 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776817b0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776817f0 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077681840 1 byte JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 0000000077681842 6 bytes {JMP 0xfffffffff896f190} .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077681860 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077681a50 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077681b60 8 bytes JMP 000000016fff0960 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077681c30 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077681d80 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077681d90 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077682100 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077682190 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077682a00 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077682a80 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077682b00 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 000000007751a420 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077531b50 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\kernel32.dll!CreateProcessA 00000000775a8810 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7d5290 7 bytes JMP 000007fffd3e0148 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefd9122cc 5 bytes JMP 000007fffd3e0260 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!BitBlt 000007fefd9124c0 5 bytes JMP 000007fffd3e0298 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefd915be0 5 bytes JMP 000007fffd3e02d0 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefd918398 9 bytes JMP 000007fffd3e01f0 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefd9189c8 9 bytes JMP 000007fffd3e01b8 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!GetPixel 000007fefd919344 5 bytes JMP 000007fffd3e0228 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefd91b9e8 5 bytes JMP 000007fffd3e0340 .text C:\Windows\system32\AUDIODG.EXE[5756] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefd925410 5 bytes JMP 000007fffd3e0308 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007782f9c0 5 bytes JMP 000000011001d120 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007782fc90 5 bytes JMP 000000011002fc20 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007782fd44 5 bytes JMP 000000011002e100 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007782fda8 5 bytes JMP 000000011002ed90 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007782fea0 5 bytes JMP 000000011002c3c0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007782ff84 5 bytes JMP 000000011002e7a0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007782ffe4 2 bytes JMP 0000000110030080 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 000000007782ffe7 2 bytes [80, 98] .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077830064 5 bytes JMP 000000011002fe40 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077830094 5 bytes JMP 000000011002e400 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077830398 5 bytes JMP 000000011002cde0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077830530 5 bytes JMP 000000011002b670 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077830674 5 bytes JMP 000000011002f8b0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007783086c 5 bytes JMP 000000011002bfe0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077830884 5 bytes JMP 000000011002ca40 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077830dd4 5 bytes JMP 000000011002f6a0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077830eb8 5 bytes JMP 000000011002f220 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077831bc4 5 bytes JMP 000000011002f460 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077831c94 5 bytes JMP 000000011002c670 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077831d6c 5 bytes JMP 000000011002f020 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007784c45a 5 bytes JMP 0000000110027f40 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077851217 7 bytes JMP 000000011001d240 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000752d103d 5 bytes JMP 0000000110025070 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752d1072 5 bytes JMP 0000000110025c00 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000752fc9b5 5 bytes JMP 0000000110023ba0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007558f776 5 bytes JMP 000000011001d270 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d08bff 5 bytes JMP 000000011001b6e0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d090d3 7 bytes JMP 000000011001c470 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d09679 5 bytes JMP 000000011001b1a0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d097d2 5 bytes JMP 000000011001ac20 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d0ee09 5 bytes JMP 000000011001c160 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d0efc9 5 bytes JMP 0000000110018140 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d112a5 5 bytes JMP 000000011001bc20 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d1291f 5 bytes JMP 00000001100193d0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d12d64 5 bytes JMP 0000000110018980 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d12da4 5 bytes JMP 0000000110017ea0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d13698 5 bytes JMP 0000000110018c20 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d13baa 5 bytes JMP 000000011001bec0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d13c61 5 bytes JMP 000000011001b980 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d1612e 5 bytes JMP 000000011001b440 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d16c30 7 bytes JMP 000000011001c690 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d17603 5 bytes JMP 000000011001c8b0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d17668 5 bytes JMP 000000011001a160 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d176e0 5 bytes JMP 000000011001a6a0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d1781f 5 bytes JMP 000000011001aee0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d1835c 5 bytes JMP 000000011001cb20 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d1c4b6 5 bytes JMP 0000000110018780 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d2c112 5 bytes JMP 0000000110019eb0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d2d0f5 5 bytes JMP 0000000110019c00 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d2eb96 5 bytes JMP 0000000110019120 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d2ec68 5 bytes JMP 0000000110019680 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d2ff4a 5 bytes JMP 0000000110019930 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d49f1d 5 bytes JMP 0000000110018370 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d51497 5 bytes JMP 0000000110017c90 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d6027b 5 bytes JMP 00000001100297c0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d602bf 5 bytes JMP 00000001100299d0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d66cfc 5 bytes JMP 000000011001a960 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d66d5d 5 bytes JMP 000000011001a400 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d67dd7 5 bytes JMP 0000000110018580 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d688eb 5 bytes JMP 0000000110018f00 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e958b3 5 bytes JMP 0000000110028d10 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 5 bytes JMP 0000000110029530 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e97bcc 5 bytes JMP 0000000110029e10 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9b895 5 bytes JMP 0000000110028d50 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c332 5 bytes JMP 0000000110029280 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9cbfb 5 bytes JMP 0000000110028ae0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e743 5 bytes JMP 0000000110029d10 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4646 5 bytes JMP 0000000110028ff0 .text C:\Users\Dom\Desktop\85k1xej1.exe[6484] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fc2538 5 bytes JMP 00000001100244d0 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107df1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800107dcc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107e69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800107ea98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107e8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [1401caad0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [1401cbfb0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\urlmon.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DefFrameProcW] [1401cb110] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DrawMenuBar] [1401cc050] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\dwmapi.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\dwmapi.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3412] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80051c42c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80051c42c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80051c42c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80051c42c0 Device \FileSystem\Ntfs \Ntfs fffffa8005af02c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa80066c62c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80066c62c0 Device \Driver\cdrom \Device\CdRom0 fffffa80063622c0 Device \Driver\cdrom \Device\CdRom1 fffffa80063622c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{175AEA62-78D0-4418-AE02-B5C2D33DFECE} fffffa80064692c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{CB9C7DE9-AC60-41E4-BA0A-CA8CF66E74B9} fffffa80064692c0 Device \Driver\dtsoftbus01 \Device\00000069 fffffa80062782c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa800682b2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80066c62c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80066c62c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80062782c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa80066c62c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80066c62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{8FC18900-7E19-467E-AF73-28903026E439} fffffa80064692c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80064692c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa800682b2c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80066c62c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80051c42c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80051c42c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80066c62c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80051c42c0]<< sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80051c42c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800614c060] fffffa800614c060 Trace 3 CLASSPNP.SYS[fffff880013b243f] -> nt!IofCallDriver -> [0xfffffa8005174e40] fffffa8005174e40 Trace 5 ACPI.sys[fffff88000ee07a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8005bef060] fffffa8005bef060 Trace \Driver\atapi[0xfffffa8005bbd060] -> IRP_MJ_CREATE -> 0xfffffa80051c42c0 fffffa80051c42c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE2 0x28 0xCA 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE2 0x28 0xCA 0x1E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ ---- Files - GMER 2.1 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0571CEB4-68B2-4321-BB1C-D68EF3FFEF89.data 802221 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\0571CEB4-68B2-4321-BB1C-D68EF3FFEF89.data.info 138 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1396363E-D481-499B-9035-B3E95BCD030B.data 55808 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1396363E-D481-499B-9035-B3E95BCD030B.data.info 160 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\16E6A5C5-063A-4AF5-985E-BDD92719F036.data 29696 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\16E6A5C5-063A-4AF5-985E-BDD92719F036.data.info 158 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\180F5C7A-5AAB-4033-8115-912E428BF24B.data 1300029 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\180F5C7A-5AAB-4033-8115-912E428BF24B.data.info 126 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\199A30A5-04CB-48B9-8271-B6E7ACB83B8B.data 1787720 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\199A30A5-04CB-48B9-8271-B6E7ACB83B8B.data.info 212 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1B7AFAB0-F694-44AB-878D-C2E933847DA4.data 286920 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1B7AFAB0-F694-44AB-878D-C2E933847DA4.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1C49C092-C728-4E06-9558-78BE3796FA3B.data 93670 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\1C49C092-C728-4E06-9558-78BE3796FA3B.data.info 108 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\24E5783B-7A34-4AA2-B921-99AF9AE0F22A.data 55808 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\24E5783B-7A34-4AA2-B921-99AF9AE0F22A.data.info 152 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5FC4B43B-D3FB-4F22-AE70-60D8D2372637.data.info 186 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\60C84408-D715-40E1-A09E-99A4DBE86BEE.data 3380216 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\60C84408-D715-40E1-A09E-99A4DBE86BEE.data.info 160 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6B0923FA-37BD-424E-9195-8D72E16A7AD8.data 1929216 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6B0923FA-37BD-424E-9195-8D72E16A7AD8.data.info 176 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6D5C6BF0-034A-49A3-A07A-E25268EACA21.data 870400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\6D5C6BF0-034A-49A3-A07A-E25268EACA21.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\723A3C75-0C3F-4508-BC34-CA3153A1BCBC.data 343552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\723A3C75-0C3F-4508-BC34-CA3153A1BCBC.data.info 150 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7767B6AA-C902-4FB4-8E34-725582D791DD.data 8192 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7767B6AA-C902-4FB4-8E34-725582D791DD.data.info 264 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7A313742-0EEF-4AEF-88BA-7E05F1E2DBC7.data 343552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7A313742-0EEF-4AEF-88BA-7E05F1E2DBC7.data.info 152 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\266765F3-A8C4-4116-B188-4E7CC2D065B7.data.info 166 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\27F909B3-0FB7-4CD7-900B-63A83FDDC4EB.data 55808 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\27F909B3-0FB7-4CD7-900B-63A83FDDC4EB.data.info 162 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B0E24E3-4CED-4FE7-AB82-23AE6EE3986D.data 4620384 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B0E24E3-4CED-4FE7-AB82-23AE6EE3986D.data.info 154 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B9E065B-1539-4945-84EF-C6AA35C4C05C.data 6828888 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2B9E065B-1539-4945-84EF-C6AA35C4C05C.data.info 162 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2D9FC057-DED1-4BEE-90CE-90265D78E08D.data 78563 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\2D9FC057-DED1-4BEE-90CE-90265D78E08D.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3A4C08D1-D09B-4091-8B87-816708ACC9EA.data 1060207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3A4C08D1-D09B-4091-8B87-816708ACC9EA.data.info 168 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3D75E59E-8074-41D5-B31C-02C6121D32E3.data 11249465 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3D75E59E-8074-41D5-B31C-02C6121D32E3.data.info 118 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B6EDADED-62EA-4016-8AFD-89C968924BD3.data.info 154 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BB178D06-4EB3-4FDA-8B4F-8582791AB32F.data 347648 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BB178D06-4EB3-4FDA-8B4F-8582791AB32F.data.info 184 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BFD62D65-8A69-4171-B769-45B297148E12.data 861809 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BFD62D65-8A69-4171-B769-45B297148E12.data.info 146 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CD26C71F-9E5A-4D02-AF41-66176C70D727.data 310320 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CD26C71F-9E5A-4D02-AF41-66176C70D727.data.info 198 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CDA30E39-1831-4B28-9078-4BFD7A03A0B7.data 659824 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\CDA30E39-1831-4B28-9078-4BFD7A03A0B7.data.info 142 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D03E9D73-4A30-4C8D-868B-DE7465717254.data 2772 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D03E9D73-4A30-4C8D-868B-DE7465717254.data.info 166 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D0B0E5EA-478F-44A0-A25A-569226BFD99D.data 8192 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D0B0E5EA-478F-44A0-A25A-569226BFD99D.data.info 264 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D57F9365-5FA5-4882-9141-90505F4FB7F4.data 290800 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D57F9365-5FA5-4882-9141-90505F4FB7F4.data.info 200 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\DA226200-B512-469E-9D7F-DC9022461810.data 64379 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\DA226200-B512-469E-9D7F-DC9022461810.data.info 176 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F8098248-F1F1-4CBF-BF20-16E78CD5F1C7.data 29696 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F8098248-F1F1-4CBF-BF20-16E78CD5F1C7.data.info 156 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FC0A4D2D-A1BF-4866-8240-1E665ED6E792.data 343552 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\FC0A4D2D-A1BF-4866-8240-1E665ED6E792.data.info 100 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\266765F3-A8C4-4116-B188-4E7CC2D065B7.data 1090048 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3F8D3B04-045D-473F-9AC0-95045575173A.data 55808 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5FC4B43B-D3FB-4F22-AE70-60D8D2372637.data 115204 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8825D4FA-2328-4C6F-BAC4-CE3259ADE04B.data 6571484 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B6EDADED-62EA-4016-8AFD-89C968924BD3.data 4087768 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\8825D4FA-2328-4C6F-BAC4-CE3259ADE04B.data.info 198 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\97FD6DB5-C2CE-4E5A-9BC8-183EA355C87D.data 38029 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\97FD6DB5-C2CE-4E5A-9BC8-183EA355C87D.data.info 212 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\98923206-63AE-480F-AFCF-DCCFF768A6DF.data 55808 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\98923206-63AE-480F-AFCF-DCCFF768A6DF.data.info 150 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A947958B-ADAA-475E-BA23-EEB61D6A2DA4.data 7604 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A947958B-ADAA-475E-BA23-EEB61D6A2DA4.data.info 212 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AEC2CD16-CB16-4AAA-BF1F-F271E3FB20DA.data 2683184 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AEC2CD16-CB16-4AAA-BF1F-F271E3FB20DA.data.info 250 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B4458594-0B20-49EC-95AC-4CB565ECBDEF.data 1929216 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B4458594-0B20-49EC-95AC-4CB565ECBDEF.data.info 176 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3F8D3B04-045D-473F-9AC0-95045575173A.data.info 106 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\49B33C14-E448-423F-AD98-C744E66F17E0.data 803512 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\49B33C14-E448-423F-AD98-C744E66F17E0.data.info 188 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4F1A9060-AF7B-41E1-AED7-DE8F0D63F045.data 1060207 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4F1A9060-AF7B-41E1-AED7-DE8F0D63F045.data.info 180 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\53F789D6-E2F2-4C33-9392-2041DD3003E8.data 6828888 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\53F789D6-E2F2-4C33-9392-2041DD3003E8.data.info 236 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\540BBB37-273C-4D69-97DC-9C87D25320EA.data 249952 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\540BBB37-273C-4D69-97DC-9C87D25320EA.data.info 186 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\56651EEC-FD8E-4C35-A9BE-5190DFFF9DCF.data 119 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\56651EEC-FD8E-4C35-A9BE-5190DFFF9DCF.data.info 148 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5A9E911D-C814-4223-BA36-C56B985DC43B.data 870400 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5A9E911D-C814-4223-BA36-C56B985DC43B.data.info 158 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5F39C8FB-4F7F-4381-B8BF-96061018E97A.data 249952 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\5F39C8FB-4F7F-4381-B8BF-96061018E97A.data.info 186 bytes File C:\Users\Dom\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000759 479232 bytes File C:\Users\Dom\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00075a 7897088 bytes ---- EOF - GMER 2.1 ----