GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-03 14:43:08 Windows 6.1.7600 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3 SAMSUNG_HD250HJ rev.FH100-06 232,89GB Running: gmer.exe; Driver: C:\Users\Szarik\AppData\Local\Temp\pfdiqpob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff8800809fc34 12 bytes {MOV RAX, 0xfffffa8004fa02a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776cff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776d0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776cff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776d0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 0 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes JMP 340038 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd9e5720 6 bytes JMP 0 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077487640 6 bytes {JMP QWORD [RIP+0x8f589f0]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077489554 6 bytes {JMP QWORD [RIP+0x9036adc]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SetParent 0000000077489870 6 bytes {JMP QWORD [RIP+0x8f767c0]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SetWindowLongA 000000007748c044 6 bytes {JMP QWORD [RIP+0x8cd3fec]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!PostMessageA 000000007748ca54 6 bytes {JMP QWORD [RIP+0x8d135dc]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!EnableWindow 000000007748d0f0 6 bytes {JMP QWORD [RIP+0x9072f40]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!MoveWindow 000000007748d120 6 bytes {JMP QWORD [RIP+0x8f92f10]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007748f0c4 6 bytes {JMP QWORD [RIP+0x8f30f6c]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007748f690 6 bytes {JMP QWORD [RIP+0x90109a0]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007748fc50 6 bytes {JMP QWORD [RIP+0x8d503e0]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendMessageA 000000007748fcd8 6 bytes {JMP QWORD [RIP+0x8d90358]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000774903f0 6 bytes {JMP QWORD [RIP+0x8e6fc40]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077491f30 6 bytes {JMP QWORD [RIP+0x904e100]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077492294 6 bytes {JMP QWORD [RIP+0x8c8dd9c]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077493464 6 bytes {JMP QWORD [RIP+0x8d6cbcc]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077495c34 6 bytes {JMP QWORD [RIP+0x8cea3fc]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000774971e9 5 bytes {JMP QWORD [RIP+0x8ca8e48]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!GetKeyState 00000000774978c0 6 bytes {JMP QWORD [RIP+0x8f08770]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077498e28 6 bytes {JMP QWORD [RIP+0x8e27208]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077498f9c 6 bytes {JMP QWORD [RIP+0x8de7094]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!PostMessageW 00000000774992d4 6 bytes {JMP QWORD [RIP+0x8d26d5c]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendMessageW 000000007749a800 6 bytes {JMP QWORD [RIP+0x8da5830]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000774a0bf8 6 bytes {JMP QWORD [RIP+0x8e9f438]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!GetClipboardData 00000000774a1584 6 bytes {JMP QWORD [RIP+0x8fdeaac]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000774a2360 6 bytes {JMP QWORD [RIP+0x8f9dcd0]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774a5508 6 bytes {JMP QWORD [RIP+0x8e3ab28]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!mouse_event 00000000774a62c4 6 bytes {JMP QWORD [RIP+0x8c39d6c]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774a91a0 6 bytes {JMP QWORD [RIP+0x8ed6e90]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000774a92e0 6 bytes {JMP QWORD [RIP+0x8db6d50]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000774a9320 6 bytes {JMP QWORD [RIP+0x8c56d10]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendInput 00000000774a93d0 6 bytes {JMP QWORD [RIP+0x8eb6c60]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!BlockInput 00000000774ab430 6 bytes {JMP QWORD [RIP+0x8fb4c00]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774d16e0 6 bytes {JMP QWORD [RIP+0x904e950]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!keybd_event 00000000774f4474 6 bytes {JMP QWORD [RIP+0x8bcbbbc]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000774fcc58 6 bytes {JMP QWORD [RIP+0x8e233d8]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000774fdec8 6 bytes {JMP QWORD [RIP+0x8da2168]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 0 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes JMP 0 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes JMP 58583b14 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes JMP 0 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes JMP 880000d0 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes JMP a6f .text C:\Windows\system32\services.exe[624] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 5 .text C:\Windows\system32\services.exe[624] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x5dcc0]} .text C:\Windows\system32\services.exe[624] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 9c6 .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes JMP 730073 .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 47e .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x4dcc0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes JMP 4e40c3b .text C:\Windows\system32\winlogon.exe[684] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd9e5720 6 bytes {JMP QWORD [RIP+0x11a910]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc54 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[888] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717b000a .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd9e5720 6 bytes {JMP QWORD [RIP+0x11a910]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 1 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes JMP 17c .text C:\Windows\system32\svchost.exe[268] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[496] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes JMP 89ab570 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes JMP 8863a51 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes JMP b9ec81 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes JMP b45165a .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes JMP 8eac780 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes JMP 8e993b1 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes JMP 4800e81 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes JMP 186500 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes JMP 5bc801 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes JMP c122ca1 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes JMP 90f4f39 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes JMP 8dc4350 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes JMP 10009 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes JMP 130013 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes JMP 10001 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes JMP c2e5d90 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes JMP 8e99681 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes JMP 8e83251 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes JMP 8e97f71 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes JMP 45 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes JMP fdb0c0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes JMP cfd5c0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes JMP 8c91180 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 9c6 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 47e .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[572] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd9e5720 6 bytes {JMP QWORD [RIP+0x11a910]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes JMP 2 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP f3cb6210 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\AUDIODG.EXE[1124] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 13a81 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\atieclxx.exe[1308] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes JMP 73a .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 1000100 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes JMP 3ed6 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes JMP ab750 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes JMP 9c0121 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd9e5720 6 bytes {JMP QWORD [RIP+0x11a910]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc54 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes [08, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes [35, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1932] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7193000a .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes JMP 77680000 C:\Windows\SYSTEM32\ntdll.dll .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1380] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc54 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077331401 2 bytes JMP 7576eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077331419 2 bytes JMP 7577b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077331431 2 bytes JMP 757f8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007733144a 2 bytes CALL 75751dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773314dd 2 bytes JMP 757f7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773314f5 2 bytes JMP 757f80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007733150d 2 bytes JMP 757f7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077331525 2 bytes JMP 757f81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007733153d 2 bytes JMP 7576f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077331555 2 bytes JMP 7577b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007733156d 2 bytes JMP 757f86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077331585 2 bytes JMP 757f8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007733159d 2 bytes JMP 757f7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773315b5 2 bytes JMP 7576f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773315cd 2 bytes JMP 7577b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773316b2 2 bytes JMP 757f8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773316bd 2 bytes JMP 757f7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 6 bytes {JMP QWORD [RIP+0x899d060]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 6 bytes {JMP QWORD [RIP+0x8f0fec0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x8fefe50]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fafe10]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x900fd70]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8f8fce0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8e8fca0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eafc50]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x8fcfc30]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x908fa40]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8e6f930]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f2f860]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x902f710]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x906f700]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f4f390]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x904f300]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8f6ea90]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8ecea10]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8eee990]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d34c60]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8ce1880]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c87900]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes JMP 43000a .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1192] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc54 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70de000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70de000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 00000000cc15c8bd .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes [F2, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70db000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70db000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes [D4, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes [EF, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes [D7, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes [EC, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710b000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 7108000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2052] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70e6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70e6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70dd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70dd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70e9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70e9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7102000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7102000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ff000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ff000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7105000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7105000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes [D9, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70d4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70d4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70ef000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70ef000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70d7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70d7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70ec000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70ec000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70fc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70fc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70f9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70f9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001002301f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001002303fc .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100230600 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100230804 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100230a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 7108000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7171000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7174000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000721917fa 2 bytes CALL 75751199 C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000072191860 2 bytes CALL 75751199 C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000072191942 2 bytes JMP 76edc29f C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007219194d 2 bytes JMP 76ed418d C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\fltlib.dll!FilterConnectCommunicationPort 00000000751512c6 6 bytes JMP 71a4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\fltlib.dll!FilterSendMessage 0000000075152384 6 bytes JMP 71a1000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7102000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7102000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7105000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7105000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70da000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70da000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 00000001001b1014 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 5 bytes JMP 00000001001b0804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 00000001001b0a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 00000001001b0c0c .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 00000001001b0e10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001001b01f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001001b03fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 00000001001b0600 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710b000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 7108000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7174000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7183000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7177000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2668] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717a000a .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 00000001001c163c .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes JMP d2e .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes JMP 4833 .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\sppsvc.exe[3044] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 000000010018075c .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 000000010018163c .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 0000000100181284 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001001819f4 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\system32\svchost.exe[3100] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes JMP d2e .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[3100] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 00000001003b075c .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001003b03a4 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 00000001003b0b14 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 00000001003b0ecc .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 00000001003b163c .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 00000001003b1284 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001003b19f4 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 13a81 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\Dwm.exe[3748] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 000000010046075c .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001004603a4 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8960090]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 0000000100460b14 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 0000000100460ecc .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 000000010046163c .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x904fe50]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x900fe10]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x906fd70]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fefce0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8edfca0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 0000000100461284 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8effc50]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x902fc30]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90efa40]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8ebf930]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f8f860]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x908f710]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90cf700]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8faf390]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x90af300]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001004619f4 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fcea90]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f1ea10]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f3e990]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d54c60]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8d01880]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8ca7900]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xf2de04]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0xf4dc18]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0xf68c80]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xe47dd8]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0xe27cb8]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xf069cc]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0xfa44ec]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0xf823b8]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077487640 6 bytes {JMP QWORD [RIP+0x8fa89f0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077489554 6 bytes {JMP QWORD [RIP+0x9086adc]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetParent 0000000077489870 6 bytes {JMP QWORD [RIP+0x8fc67c0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!UnhookWinEvent 00000000774898f0 5 bytes JMP 000000007fff075c .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetWindowLongA 000000007748c044 6 bytes {JMP QWORD [RIP+0x8d23fec]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!PostMessageA 000000007748ca54 6 bytes {JMP QWORD [RIP+0x8d635dc]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!EnableWindow 000000007748d0f0 6 bytes {JMP QWORD [RIP+0x90c2f40]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!MoveWindow 000000007748d120 6 bytes {JMP QWORD [RIP+0x8fe2f10]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007748f0c4 6 bytes {JMP QWORD [RIP+0x8f80f6c]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007748f690 6 bytes {JMP QWORD [RIP+0x90609a0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007748fc50 6 bytes {JMP QWORD [RIP+0x8da03e0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendMessageA 000000007748fcd8 6 bytes {JMP QWORD [RIP+0x8de0358]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000000007748fe60 5 bytes JMP 000000007fff1284 .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000774903f0 6 bytes {JMP QWORD [RIP+0x8ebfc40]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077491f30 6 bytes {JMP QWORD [RIP+0x909e100]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077492294 2 bytes JMP 000000007fff0ecc .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 3 0000000077492297 2 bytes [B5, 08] .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077493464 6 bytes {JMP QWORD [RIP+0x8dbcbcc]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077495c34 6 bytes {JMP QWORD [RIP+0x8d3a3fc]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000774971e8 5 bytes JMP 000000007fff03a4 .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!GetKeyState 00000000774978c0 6 bytes {JMP QWORD [RIP+0x8f58770]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077498e28 6 bytes {JMP QWORD [RIP+0x8e77208]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077498f9c 6 bytes {JMP QWORD [RIP+0x8e37094]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!PostMessageW 00000000774992d4 6 bytes {JMP QWORD [RIP+0x8d76d5c]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendMessageW 000000007749a800 6 bytes {JMP QWORD [RIP+0x8df5830]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000774a0bf8 6 bytes {JMP QWORD [RIP+0x8eef438]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!GetClipboardData 00000000774a1584 6 bytes {JMP QWORD [RIP+0x902eaac]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000774a2360 6 bytes {JMP QWORD [RIP+0x8fedcd0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774a5508 6 bytes {JMP QWORD [RIP+0x8e8ab28]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!mouse_event 00000000774a62c4 6 bytes {JMP QWORD [RIP+0x8c59d6c]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774a91a0 6 bytes {JMP QWORD [RIP+0x8f26e90]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000774a92e0 6 bytes {JMP QWORD [RIP+0x8e06d50]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000774a9320 5 bytes JMP 000000007fff0b14 .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendInput 00000000774a93d0 6 bytes {JMP QWORD [RIP+0x8f06c60]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!BlockInput 00000000774ab430 6 bytes {JMP QWORD [RIP+0x9004c00]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774d16e0 6 bytes {JMP QWORD [RIP+0x909e950]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!keybd_event 00000000774f4474 6 bytes {JMP QWORD [RIP+0x8bebbbc]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000774fcc58 6 bytes {JMP QWORD [RIP+0x8e733d8]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000774fdec8 6 bytes {JMP QWORD [RIP+0x8df2168]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x5dcc0]} .text C:\Windows\Explorer.EXE[3772] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x7da98]} .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes [FF, 25, 1E] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes [DF, 70] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70e6000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70e6000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70dd000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70dd000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70e9000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70e9000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7102000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7102000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ff000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ff000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e3000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e3000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d1000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d1000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7105000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7105000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f2000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f2000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes [FF, 25, 1E] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes [D9, 70] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes [FF, 25, 1E] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes [D3, 70] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70ef000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70ef000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes [FF, 25, 1E] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes [D6, 70] .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70ec000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70ec000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70fc000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70fc000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70f9000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70f9000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001001001f8 .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001001003fc .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710b000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100100600 .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100100804 .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100100a08 .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 7108000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7171000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7174000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7183000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7180000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7177000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717d000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717a000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 0000000100111014 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 5 bytes JMP 0000000100110804 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 0000000100110a08 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 0000000100110c0c .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 0000000100110e10 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001001101f8 .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001001103fc .text C:\Windows\vVX3000.exe[3948] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 0000000100110600 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 1A] .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xf2de04]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0xf4dc18]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0xf68c80]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xe47dd8]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0xe27cb8]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xf069cc]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0xfa44ec]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0xf823b8]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xf2de04]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0xf4dc18]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0xf68c80]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xe47dd8]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0xe27cb8]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xf069cc]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0xfa44ec]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0xf823b8]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 000000010033075c .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001003303a4 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 0000000100330b14 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 0000000100330ecc .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 000000010033163c .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 0000000100331284 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001003319f4 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\SearchIndexer.exe[2976] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 000000010035075c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001003503a4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 0000000100350b14 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 0000000100350ecc .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 000000010035163c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 0000000100351284 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001003519f4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 000000010039075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001003903a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 0000000100390b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 0000000100390ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 000000010039163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 0000000100391284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001003919f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 000000010046075c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001004603a4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8960090]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 0000000100460b14 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 0000000100460ecc .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 000000010046163c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes JMP 650063 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes JMP 200066 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes JMP 530069 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes JMP 320031 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes JMP 6c0065 C:\Windows\system32\guard64.dll .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 0000000100461284 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes JMP 690074 C:\Windows\system32\guard64.dll .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes JMP 65007a .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes JMP 64 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes JMP 750061 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes JMP 320035 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes JMP 630020 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes JMP 720063 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001004619f4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes JMP 200074 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d54c60]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8d01880]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8ca7900]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xf2de04]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0xf4dc18]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0xf68c80]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xe47dd8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0xe27cb8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xf069cc]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0xfa44ec]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0xf823b8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70ab000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70ab000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70b1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70b1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70a8000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70a8000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70ae000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70ae000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 709c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 709c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70a5000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70a5000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 709f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 709f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70a2000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70a2000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 717d000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 717a000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7171000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 7177000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 7174000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 7150000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7144000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 713e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7138000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 714a000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 70fa000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 714d000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7147000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 70d9000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 70f7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7106000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 710f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7103000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7141000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7153000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 713b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 70df000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 7109000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7100000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7100000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 70e5000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 70d6000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7162000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 716a000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7112000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 710c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 3 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 4 0000000077345258 1 byte [88] .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077331401 2 bytes JMP 7576eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077331419 2 bytes JMP 7577b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077331431 2 bytes JMP 757f8609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007733144a 2 bytes CALL 75751dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773314dd 2 bytes JMP 757f7efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773314f5 2 bytes JMP 757f80d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007733150d 2 bytes JMP 757f7df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077331525 2 bytes JMP 757f81c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007733153d 2 bytes JMP 7576f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077331555 2 bytes JMP 7577b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007733156d 2 bytes JMP 757f86c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077331585 2 bytes JMP 757f8222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007733159d 2 bytes JMP 757f7db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773315b5 2 bytes JMP 7576f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773315cd 2 bytes JMP 7577b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773316b2 2 bytes JMP 757f8584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773316bd 2 bytes JMP 757f7d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71a1000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71a1000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc54 2 bytes [CD, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70b9000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70b9000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70bf000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70bf000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes [B5, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70c2000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70c2000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes [D9, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70d7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70d7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70bc000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70bc000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70aa000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70aa000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 70e2000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 70e2000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes [CA, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes [B2, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70ad000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70ad000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes [C7, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes [AF, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes [C4, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes [D3, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes [D0, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 6 bytes JMP 719a000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007575102d 6 bytes {JMP QWORD [RIP+0x718d001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075751062 6 bytes {JMP QWORD [RIP+0x718a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007577126f 6 bytes {JMP QWORD [RIP+0x7181001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes {JMP QWORD [RIP+0x7190001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 719e0000 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes {JMP QWORD [RIP+0x7145001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes {JMP QWORD [RIP+0x7139001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes {JMP QWORD [RIP+0x7133001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 712e000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes [F0, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 6 bytes {JMP QWORD [RIP+0x714b001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7140000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes [EA, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes [FC, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes {JMP QWORD [RIP+0x7142001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes {JMP QWORD [RIP+0x713c001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes [FF, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes {JMP QWORD [RIP+0x70e7001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes [0B, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 6 bytes {JMP QWORD [RIP+0x7151001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes [F9, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes {JMP QWORD [RIP+0x711e001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 6 bytes {JMP QWORD [RIP+0x714e001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes {JMP QWORD [RIP+0x7127001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes {JMP QWORD [RIP+0x7136001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes {JMP QWORD [RIP+0x7148001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes {JMP QWORD [RIP+0x7130001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes {JMP QWORD [RIP+0x70ed001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes {JMP QWORD [RIP+0x7121001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes [0E, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes {JMP QWORD [RIP+0x70f3001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes {JMP QWORD [RIP+0x70e4001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes {JMP QWORD [RIP+0x7154001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes {JMP QWORD [RIP+0x7157001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes {JMP QWORD [RIP+0x712a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes {JMP QWORD [RIP+0x7124001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes [F6, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes [02, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7170000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7164000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes {JMP QWORD [RIP+0x717e001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes {JMP QWORD [RIP+0x7178001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes {JMP QWORD [RIP+0x715a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes {JMP QWORD [RIP+0x7160001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes {JMP QWORD [RIP+0x717b001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes {JMP QWORD [RIP+0x715d001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes {JMP QWORD [RIP+0x7187001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4428] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes {JMP QWORD [RIP+0x7184001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 3 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 4 0000000077345258 1 byte [88] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7183000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7177000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 7108000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7174000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4588] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7174000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7183000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7177000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077331401 2 bytes JMP 7576eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077331419 2 bytes JMP 7577b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077331431 2 bytes JMP 757f8609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007733144a 2 bytes CALL 75751dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773314dd 2 bytes JMP 757f7efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773314f5 2 bytes JMP 757f80d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007733150d 2 bytes JMP 757f7df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077331525 2 bytes JMP 757f81c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007733153d 2 bytes JMP 7576f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077331555 2 bytes JMP 7577b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007733156d 2 bytes JMP 757f86c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077331585 2 bytes JMP 757f8222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007733159d 2 bytes JMP 757f7db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773315b5 2 bytes JMP 7576f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773315cd 2 bytes JMP 7577b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773316b2 2 bytes JMP 757f8584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773316bd 2 bytes JMP 757f7d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 00000001001a075c .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001001a03a4 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 00000001001a0b14 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 00000001001a0ecc .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 00000001001a163c .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 00000001001a1284 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001001a19f4 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes JMP 300024 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes JMP 2b01660 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff7ca1a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff7efa50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[5068] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes [42, 5B, 06] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70da000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70da000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 7190000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 718d000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 7184000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 7193000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71a10000 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 7153000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7147000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 7141000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 713b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7108000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7108000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 714d000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 7102000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 7102000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 7120000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7114000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7114000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 7150000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 714a000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7117000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7117000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 70ff000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 711d000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 7123000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 7123000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 7111000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 7111000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 712c000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7135000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7129000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7144000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7156000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 713e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7105000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 712f000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7126000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7126000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 710b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 70fc000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7165000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7168000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7138000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 7132000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 710e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 710e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 711a000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 711a000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7178000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 7181000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 717b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 716b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 717e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 716e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 718a000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7187000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Nero\Update\NASvc.exe[2568] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70a2000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70a2000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70a8000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70a8000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 709f000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 709f000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70ab000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70ab000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70a5000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70a5000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 7093000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 7093000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 709c000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 709c000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 7096000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 7096000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70b1000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70b1000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 7099000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 7099000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70ae000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70ae000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70be000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70be000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!SleepEx + 19 00000000757511fd 7 bytes JMP 0000000110002b60 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!GetModuleHandleW + 125 0000000075751dd0 7 bytes JMP 0000000110002ae0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!DisableThreadLibraryCalls + 19 0000000075751e0d 7 bytes JMP 0000000110002ab0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryW + 21 0000000075751e27 7 bytes JMP 0000000110002b20 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!RegGetValueW + 607 0000000075754bc1 7 bytes JMP 0000000110002a80 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 7154000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 7142000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 713c000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 714e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 70ee000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 7151000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 714b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 70cd000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 70eb000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!GetMenu + 388 00000000775a5835 7 bytes JMP 0000000110053ac0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 104 00000000775a9662 7 bytes JMP 0000000110053bf0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 70df000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 70df000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7114000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 711d000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7111000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7145000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7157000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 713f000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 70d3000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 7117000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 710e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 710e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 70d9000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 70ca000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 00000000775efe28 7 bytes JMP 0000000110053c60 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 00000000775efe61 7 bytes JMP 0000000110053d30 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 31 00000000775efe85 7 bytes JMP 0000000110053ce0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 716b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 716e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7139000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 711a000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 717d000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 717a000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7171000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 7177000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 7174000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077331401 2 bytes JMP 7576eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077331419 2 bytes JMP 7577b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077331431 2 bytes JMP 757f8609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007733144a 2 bytes CALL 75751dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773314dd 2 bytes JMP 757f7efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773314f5 2 bytes JMP 757f80d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007733150d 2 bytes JMP 757f7df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077331525 2 bytes JMP 757f81c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007733153d 2 bytes JMP 7576f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077331555 2 bytes JMP 7577b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007733156d 2 bytes JMP 757f86c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077331585 2 bytes JMP 757f8222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007733159d 2 bytes JMP 757f7db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773315b5 2 bytes JMP 7576f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773315cd 2 bytes JMP 7577b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773316b2 2 bytes JMP 757f8584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773316bd 2 bytes JMP 757f7d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 709a000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 709a000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70a0000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70a0000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 7097000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 7097000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70a3000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70a3000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 709d000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 709d000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 708b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 708b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70ac000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70ac000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 7094000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 7094000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 708e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 708e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70a9000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70a9000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 7091000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 7091000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70a6000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70a6000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 7154000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 7142000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 713c000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 714e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 70e6000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 70da000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 70da000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 7151000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 714b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 70c5000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 70e3000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7115000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 70ef000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7145000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7157000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 713f000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 70cb000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 710f000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 70d1000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 70c2000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 716b000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 716e000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7139000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 7112000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 717d000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 717a000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7171000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 7177000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 7174000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[2440] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 00000001000b0600 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e0000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e0000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70e6000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70e6000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70dd000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70dd000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70e9000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70e9000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7102000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7102000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ff000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ff000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e3000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e3000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d1000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d1000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7105000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7105000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f2000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f2000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70da000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70da000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70d4000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70d4000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70ef000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70ef000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70d7000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70d7000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70ec000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70ec000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70fc000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70fc000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70f9000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70f9000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001002401f8 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001002403fc .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710b000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100240600 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100240804 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100240a08 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 7108000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7171000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7174000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7183000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7180000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7177000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717d000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717a000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 00000001002d1014 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 5 bytes JMP 00000001002d0804 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 00000001002d0a08 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 00000001002d0c0c .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 00000001002d0e10 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001002d01f8 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001002d03fc .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 00000001002d0600 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000077331401 2 bytes JMP 7576eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000077331419 2 bytes JMP 7577b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000077331431 2 bytes JMP 757f8609 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007733144a 2 bytes CALL 75751dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000773314dd 2 bytes JMP 757f7efe C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000773314f5 2 bytes JMP 757f80d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007733150d 2 bytes JMP 757f7df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000077331525 2 bytes JMP 757f81c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007733153d 2 bytes JMP 7576f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000077331555 2 bytes JMP 7577b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007733156d 2 bytes JMP 757f86c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000077331585 2 bytes JMP 757f8222 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007733159d 2 bytes JMP 757f7db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000773315b5 2 bytes JMP 7576f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000773315cd 2 bytes JMP 7577b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000773316b2 2 bytes JMP 757f8584 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Szarik\Downloads\OTL.com[2760] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000773316bd 2 bytes JMP 757f7d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a2fd0 5 bytes JMP 000000010016075c .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776b4a20 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776cffa0 6 bytes {JMP QWORD [RIP+0x8950090]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776d0030 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776d0090 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d0170 5 bytes JMP 000000010016163c .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d01e0 6 bytes {JMP QWORD [RIP+0x903fe50]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d0220 6 bytes {JMP QWORD [RIP+0x8fffe10]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d02c0 6 bytes {JMP QWORD [RIP+0x905fd70]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d0350 6 bytes {JMP QWORD [RIP+0x8fdfce0]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d0390 6 bytes {JMP QWORD [RIP+0x8ecfca0]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776d03b0 5 bytes JMP 0000000100161284 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d03e0 6 bytes {JMP QWORD [RIP+0x8eefc50]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d0400 6 bytes {JMP QWORD [RIP+0x901fc30]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d05f0 6 bytes {JMP QWORD [RIP+0x90dfa40]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d0700 6 bytes {JMP QWORD [RIP+0x8eaf930]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d07d0 6 bytes {JMP QWORD [RIP+0x8f7f860]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d0920 6 bytes {JMP QWORD [RIP+0x907f710]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d0930 6 bytes {JMP QWORD [RIP+0x90bf700]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d0ca0 6 bytes {JMP QWORD [RIP+0x8f9f390]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d0d30 6 bytes {JMP QWORD [RIP+0x909f300]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776d13e0 5 bytes JMP 00000001001619f4 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d15a0 6 bytes {JMP QWORD [RIP+0x8fbea90]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d1620 6 bytes {JMP QWORD [RIP+0x8f0ea10]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d16a0 6 bytes {JMP QWORD [RIP+0x8f2e990]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007736b3d0 6 bytes {JMP QWORD [RIP+0x8d44c60]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007737e7b0 6 bytes {JMP QWORD [RIP+0x8cf1880]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773bf1bd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000773f8730 6 bytes {JMP QWORD [RIP+0x8c97900]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd68a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd694920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe56222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe562418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe5673b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe568258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe568378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe569664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe56bb44 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe56dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfb6e00 5 bytes JMP 000007ff7dfd1dac .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfb6f2c 5 bytes JMP 000007ff7dfd0ecc .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfb7220 5 bytes JMP 000007ff7dfd1284 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfb739c 5 bytes JMP 000007ff7dfd163c .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfb7538 5 bytes JMP 000007ff7dfd19f4 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfb75e8 5 bytes JMP 000007ff7dfd03a4 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfb790c 5 bytes JMP 000007ff7dfd075c .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfb7ab4 5 bytes JMP 000007ff7dfd0b14 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd432370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd432598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f980 3 bytes JMP 71af000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f984 2 bytes JMP 71af000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007787fa60 5 bytes JMP 0000000100030600 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007787faf8 5 bytes JMP 0000000100030804 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc50 5 bytes JMP 0000000100030c0c .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd04 3 bytes JMP 70e0000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd08 2 bytes JMP 70e0000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fd68 3 bytes JMP 70e6000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fd6c 2 bytes JMP 70e6000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fe60 3 bytes JMP 70dd000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fe64 2 bytes JMP 70dd000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff44 3 bytes JMP 70e9000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff48 2 bytes JMP 70e9000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffa4 3 bytes JMP 7102000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffa8 2 bytes JMP 7102000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007787ffd8 5 bytes JMP 0000000100030a08 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880024 3 bytes JMP 70ff000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880028 2 bytes JMP 70ff000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880054 3 bytes JMP 70e3000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880058 2 bytes JMP 70e3000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880358 3 bytes JMP 70d1000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788035c 2 bytes JMP 70d1000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778804f0 3 bytes JMP 7105000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778804f4 2 bytes JMP 7105000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880634 3 bytes JMP 70f2000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880638 2 bytes JMP 70f2000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788082c 3 bytes JMP 70da000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880830 2 bytes JMP 70da000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880844 3 bytes JMP 70d4000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880848 2 bytes JMP 70d4000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880d94 3 bytes JMP 70ef000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880d98 2 bytes JMP 70ef000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880e78 3 bytes JMP 70d7000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880e7c 2 bytes JMP 70d7000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778818c0 5 bytes JMP 0000000100030e10 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881b84 3 bytes JMP 70ec000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881b88 2 bytes JMP 70ec000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c54 3 bytes JMP 70fc000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c58 2 bytes JMP 70fc000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d2c 3 bytes JMP 70f9000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d30 2 bytes JMP 70f9000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007789c0a2 5 bytes JMP 00000001000301f8 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1067 5 bytes JMP 00000001000303fc .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007575102d 6 bytes JMP 719b000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075751062 6 bytes JMP 7198000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007577126f 6 bytes JMP 718f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007577b0c5 1 byte [62] .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076aaeae7 6 bytes JMP 719e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000076ab1d26 4 bytes CALL 71ac0000 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077598b7c 6 bytes JMP 715f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077598e6e 6 bytes JMP 7153000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007759cd35 6 bytes JMP 714d000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007759d0da 6 bytes JMP 7147000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007759d277 3 bytes JMP 7114000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007759d27b 2 bytes JMP 7114000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007759f0e6 5 bytes JMP 00000001002401f8 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000775a0f14 6 bytes JMP 7159000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000775a0f9f 3 bytes JMP 710e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 00000000775a0fa3 2 bytes JMP 710e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000775a2902 6 bytes JMP 712c000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000775a35fb 3 bytes JMP 7120000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000775a35ff 2 bytes JMP 7120000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000775a3907 5 bytes JMP 00000001002403fc .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000775a3cbf 6 bytes JMP 715c000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000775a3d76 6 bytes JMP 7156000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetParent 00000000775a3f14 3 bytes JMP 7123000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000775a3f18 2 bytes JMP 7123000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000775a3f54 6 bytes JMP 710b000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000775a4858 6 bytes JMP 7129000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000775a492a 3 bytes JMP 712f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000775a492e 2 bytes JMP 712f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000775a8364 5 bytes JMP 0000000100240600 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000775ab7e6 3 bytes JMP 711d000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000775ab7ea 2 bytes JMP 711d000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000775ac991 6 bytes JMP 7138000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000775b06b3 5 bytes JMP 0000000100240804 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000775b090f 6 bytes JMP 7141000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000775b2959 6 bytes JMP 7135000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000775beef4 6 bytes JMP 7150000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000775bef4a 6 bytes JMP 7162000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000775bf422 6 bytes JMP 714a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000775bf9b0 6 bytes JMP 7111000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000775c0efc 5 bytes JMP 0000000100240a08 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000775c0f60 6 bytes JMP 713b000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendInput 00000000775c195e 3 bytes JMP 7132000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000775c1962 2 bytes JMP 7132000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000775d9f3b 6 bytes JMP 7117000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000775e15ef 6 bytes JMP 7108000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!mouse_event 00000000775f040b 6 bytes JMP 7171000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!keybd_event 00000000775f044f 6 bytes JMP 7174000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000775f6e8c 6 bytes JMP 7144000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000775f6eed 6 bytes JMP 713e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!BlockInput 00000000775f7f67 3 bytes JMP 711a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000775f7f6b 2 bytes JMP 711a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000775f8a7b 3 bytes JMP 7126000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000775f8a7f 2 bytes JMP 7126000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770a5876 6 bytes JMP 7183000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770a5ea6 6 bytes JMP 7180000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770a95f4 6 bytes JMP 718c000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770ab8d0 6 bytes JMP 7186000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770aba55 6 bytes JMP 7177000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770ac74f 6 bytes JMP 717d000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770ae45d 6 bytes JMP 7189000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770d4636 6 bytes JMP 717a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000756d14fd 6 bytes JMP 7195000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000756d42a1 6 bytes JMP 7192000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077345181 5 bytes JMP 0000000100251014 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077345254 3 bytes JMP 0000000100250804 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 4 0000000077345258 1 byte [88] .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773453d5 5 bytes JMP 0000000100250a08 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773454c2 5 bytes JMP 0000000100250c0c .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773455e2 5 bytes JMP 0000000100250e10 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007734567c 5 bytes JMP 00000001002501f8 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007734589f 5 bytes JMP 00000001002503fc .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5232] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077345a22 5 bytes JMP 0000000100250600 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001078f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001078cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107969c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001079a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010798f4] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa8003994840] [unknown section] IAT C:\Windows\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa8004fa0840] [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[2708] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\svchost.exe[2708] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\svchost.exe[2708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2708] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\svchost.exe[2708] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2708] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\sppsvc.exe[3044] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\svchost.exe[3100] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\svchost.exe[3100] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[3100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\svchost.exe[3100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[3100] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\svchost.exe[3100] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[3100] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\dxgi.dll[USER32.dll!SetWindowsHookExA] [80050000] IAT C:\Windows\system32\Dwm.exe[3748] @ C:\Windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\Explorer.EXE[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\Explorer.EXE[3772] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\comctl32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\DINPUT8.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[3160] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[1084] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\SearchIndexer.exe[2976] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Program Files\COMODO\GeekBuddy\QtCore4.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4112] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4220] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4388] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4388] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4388] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4388] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4388] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4388] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4388] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Program Files\COMODO\GeekBuddy\QtCore4.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[4400] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\System32\svchost.exe[5068] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\svchost.exe[5068] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[5068] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\svchost.exe[5068] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[5068] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\svchost.exe[5068] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[5068] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2972] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2604] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80039a02c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80039a02c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort5 fffffa80039a02c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort1 fffffa80039a02c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80039a02c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80039a02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80039a02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80039a02c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort3 fffffa80039a02c0 Device \Driver\al4so61o \Device\Scsi\al4so61o1 fffffa80050a22c0 Device \Driver\al4so61o \Device\Scsi\al4so61o1Port7Path0Target0Lun0 fffffa80050a22c0 Device \Driver\attdb38s \Device\Scsi\attdb38s1 fffffa80050a82c0 Device \FileSystem\Ntfs \Ntfs fffffa80039a42c0 Device \FileSystem\fastfat \Fat fffffa8007ac92c0 Device \Driver\al4so61o \Device\ScsiPort7 fffffa80050a22c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa800503a2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa800503a2c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8004f932c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{475FE42E-D2D0-4BA5-A2AA-CE57382C6D10} fffffa8004dd32c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8004f932c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004bc32c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004bc32c0 Device \Driver\cdrom \Device\CdRom2 fffffa8004bc32c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8004f932c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8004f932c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8004f932c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8004f932c0 Device \Driver\USBSTOR \Device\00000085 fffffa8005a282c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004bb82c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8004f932c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa800503a2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8004f932c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa800503a2c0 Device \Driver\dtsoftbus01 \Device\0000006d fffffa8004bb82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C3E3EDAA-9EFB-42F2-9AF1-03E0B1F60672} fffffa8004dd32c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004dd32c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8004f932c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8004f932c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80039a02c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8004f932c0 Device \Driver\USBSTOR \Device\00000087 fffffa8005a282c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80039a02c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8004f932c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80039a02c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80039a02c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80039a02c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80039a02c0 Device \Driver\attdb38s \Device\ScsiPort6 fffffa80050a82c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\attdb38s.SYS fffff88006f98000-fffff88006fe4000 (311296 bytes) Module \SystemRoot\System32\Drivers\al4so61o.SYS fffff88007689000-fffff880076da000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4220:4632] 000007fefdbb3570 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4220:4832] 000007fefc0d2a74 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4220:4908] 000007fef0ca7cc0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4220:3920] 000007fef8fb5124 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\System32\Drivers\aswrdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 128 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1159691 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x6C 0x56 0xBB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6B 0xF7 0xDD 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0xD3 0xED 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x11 0xA2 0x5E 0x5F ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 128 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1159691 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x6C 0x56 0xBB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6B 0xF7 0xDD 0x74 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0xD3 0xED 0x18 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x11 0xA2 0x5E 0x5F ... ---- EOF - GMER 2.1 ----