GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-03 16:44:42 Windows 6.1.7600 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3 SAMSUNG_HD250HJ rev.FH100-06 232,89GB Running: gmer.exe; Driver: C:\Users\Szarik\AppData\Local\Temp\pfdiqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777bff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777c0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\csrss.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777bff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777c0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\services.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\services.exe[652] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff8b5720 6 bytes {JMP QWORD [RIP+0x23a910]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077577640 6 bytes {JMP QWORD [RIP+0x8e689f0]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077579554 6 bytes {JMP QWORD [RIP+0x8f46adc]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetParent 0000000077579870 6 bytes {JMP QWORD [RIP+0x8e867c0]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowLongA 000000007757c044 6 bytes {JMP QWORD [RIP+0x8be3fec]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostMessageA 000000007757ca54 6 bytes {JMP QWORD [RIP+0x8c235dc]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!EnableWindow 000000007757d0f0 6 bytes {JMP QWORD [RIP+0x8f82f40]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!MoveWindow 000000007757d120 6 bytes {JMP QWORD [RIP+0x8ea2f10]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007757f0c4 6 bytes {JMP QWORD [RIP+0x8e40f6c]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007757f690 6 bytes {JMP QWORD [RIP+0x8f209a0]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007757fc50 6 bytes {JMP QWORD [RIP+0x8c603e0]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageA 000000007757fcd8 6 bytes {JMP QWORD [RIP+0x8ca0358]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000775803f0 6 bytes {JMP QWORD [RIP+0x8d7fc40]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077581f30 6 bytes {JMP QWORD [RIP+0x8f5e100]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077582294 6 bytes {JMP QWORD [RIP+0x8b9dd9c]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077583464 6 bytes {JMP QWORD [RIP+0x8c7cbcc]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077585c34 6 bytes {JMP QWORD [RIP+0x8bfa3fc]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000775871e9 5 bytes {JMP QWORD [RIP+0x8bb8e48]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetKeyState 00000000775878c0 6 bytes {JMP QWORD [RIP+0x8e18770]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077588e28 6 bytes {JMP QWORD [RIP+0x8d37208]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077588f9c 6 bytes {JMP QWORD [RIP+0x8cf7094]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!PostMessageW 00000000775892d4 6 bytes {JMP QWORD [RIP+0x8c36d5c]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageW 000000007758a800 6 bytes {JMP QWORD [RIP+0x8cb5830]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000077590bf8 6 bytes {JMP QWORD [RIP+0x8daf438]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetClipboardData 0000000077591584 6 bytes {JMP QWORD [RIP+0x8eeeaac]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000077592360 6 bytes {JMP QWORD [RIP+0x8eadcd0]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000077595508 6 bytes {JMP QWORD [RIP+0x8d4ab28]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!mouse_event 00000000775962c4 6 bytes {JMP QWORD [RIP+0x8b49d6c]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000775991a0 6 bytes {JMP QWORD [RIP+0x8de6e90]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000775992e0 6 bytes {JMP QWORD [RIP+0x8cc6d50]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077599320 6 bytes {JMP QWORD [RIP+0x8b66d10]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendInput 00000000775993d0 6 bytes {JMP QWORD [RIP+0x8dc6c60]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!BlockInput 000000007759b430 6 bytes {JMP QWORD [RIP+0x8ec4c00]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775c16e0 6 bytes {JMP QWORD [RIP+0x8f5e950]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!keybd_event 00000000775e4474 6 bytes {JMP QWORD [RIP+0x8adbbbc]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775ecc58 6 bytes {JMP QWORD [RIP+0x8d333d8]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775edec8 6 bytes {JMP QWORD [RIP+0x8cb2168]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP 43000a .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x5dcc0]} .text C:\Windows\system32\services.exe[652] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x7da98]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP 43000a .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes JMP 0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\lsm.exe[676] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\winlogon.exe[740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff8b5720 6 bytes {JMP QWORD [RIP+0x23a910]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[920] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff8b5720 6 bytes {JMP QWORD [RIP+0x23a910]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\atiesrxx.exe[532] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes JMP 6000200 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes JMP 650033 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 54646 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[600] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes JMP 690074 .text C:\Windows\System32\svchost.exe[600] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[600] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes JMP 88ad038 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes JMP 8161468 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes JMP 890c81 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes JMP 10003 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes JMP 96213b0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes JMP 10003 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes JMP 20002 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes JMP 10001 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes JMP 9612080 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes JMP 10003 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes JMP 10001 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes JMP 956aae8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes JMP 8de9331 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes JMP 9920d78 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes JMP 8e64480 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes JMP 96a4aa8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes JMP 8dad5e1 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes JMP 8e849f9 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes JMP 291be838 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes JMP 2c879c0 C:\Windows\system32\SHELL32.dll .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes JMP cdeeeaef .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes JMP 2 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff8b5720 6 bytes {JMP QWORD [RIP+0x23a910]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes JMP 11e990 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 13d250 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\AUDIODG.EXE[1128] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 9c6 .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 730073 .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 47e .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\spoolsv.exe[1816] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff8b5720 6 bytes {JMP QWORD [RIP+0x23a910]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 0 .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\taskhost.exe[1892] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1952] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1576] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 7116000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 710d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 710d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 70f5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 7113000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7107000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7107000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 4 bytes JMP 70fb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA + 5 000000007615f9b5 1 byte [70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 7101000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 7104000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 7104000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 7110000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 7110000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077681401 2 bytes JMP 7737eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077681419 2 bytes JMP 7738b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077681431 2 bytes JMP 77408609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007768144a 2 bytes CALL 77361dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000776814dd 2 bytes JMP 77407efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000776814f5 2 bytes JMP 774080d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007768150d 2 bytes JMP 77407df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077681525 2 bytes JMP 774081c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007768153d 2 bytes JMP 7737f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077681555 2 bytes JMP 7738b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007768156d 2 bytes JMP 774086c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077681585 2 bytes JMP 77408222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007768159d 2 bytes JMP 77407db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000776815b5 2 bytes JMP 7737f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000776815cd 2 bytes JMP 7738b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000776816b2 2 bytes JMP 77408584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000776816bd 2 bytes JMP 77407d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP 43000a .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1716] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710b000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7141000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7111000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713b000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 7108000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7144000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 713e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1628] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\taskeng.exe[2064] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7109000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7109000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 7130000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7136000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7136000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000720e17fa 2 bytes CALL 77361199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000720e1860 2 bytes CALL 77361199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000720e1942 2 bytes JMP 75dec29f C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000720e194d 2 bytes JMP 75de418d C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077681401 2 bytes JMP 7737eb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077681419 2 bytes JMP 7738b513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077681431 2 bytes JMP 77408609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007768144a 2 bytes CALL 77361dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000776814dd 2 bytes JMP 77407efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000776814f5 2 bytes JMP 774080d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007768150d 2 bytes JMP 77407df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077681525 2 bytes JMP 774081c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007768153d 2 bytes JMP 7737f088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077681555 2 bytes JMP 7738b885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007768156d 2 bytes JMP 774086c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077681585 2 bytes JMP 77408222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007768159d 2 bytes JMP 77407db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000776815b5 2 bytes JMP 7737f121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000776815cd 2 bytes JMP 7738b29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000776816b2 2 bytes JMP 77408584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000776816bd 2 bytes JMP 77407d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\fltlib.dll!FilterConnectCommunicationPort 00000000752412c6 6 bytes JMP 71a5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\fltlib.dll!FilterSendMessage 0000000075242384 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 7103000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 7103000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7109000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7109000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70df000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 7100000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 7100000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7157000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7151000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 714b000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7118000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7169000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 7130000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7124000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7160000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 715a000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7127000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7127000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 712d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7121000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 713c000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716c000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7139000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7154000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7115000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713f000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7136000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7136000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 711b000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 710c000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7148000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7142000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 712a000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 712a000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7178000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2264] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes JMP 4d68636d .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes JMP 69ce6fb8 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[2284] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP 0 .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP d2e .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\sppsvc.exe[2536] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 9c6 .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 47e .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 13a81 .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\WUDFHost.exe[2812] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 6 bytes {JMP QWORD [RIP+0x88ad060]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 6 bytes {JMP QWORD [RIP+0x8e1fec0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8effe50]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8ebfe10]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f1fd70]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8e9fce0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8d9fca0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dbfc50]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8edfc30]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8f9fa40]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8d7f930]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e3f860]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f3f710]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8f7f700]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8e5f390]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8f5f300]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8e7ea90]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8ddea10]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8dfe990]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c44c60]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8bf1880]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8b97900]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xe8de04]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0xeadc18]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0xec8c80]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP 43000a .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xe669cc]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0xf044ec]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0xee23b8]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077577640 6 bytes {JMP QWORD [RIP+0x8e689f0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077579554 6 bytes {JMP QWORD [RIP+0x8f46adc]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SetParent 0000000077579870 6 bytes {JMP QWORD [RIP+0x8e867c0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SetWindowLongA 000000007757c044 6 bytes {JMP QWORD [RIP+0x8be3fec]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!PostMessageA 000000007757ca54 6 bytes {JMP QWORD [RIP+0x8c235dc]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!EnableWindow 000000007757d0f0 6 bytes {JMP QWORD [RIP+0x8f82f40]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!MoveWindow 000000007757d120 6 bytes {JMP QWORD [RIP+0x8ea2f10]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007757f0c4 6 bytes {JMP QWORD [RIP+0x8e40f6c]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007757f690 6 bytes {JMP QWORD [RIP+0x8f209a0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007757fc50 6 bytes {JMP QWORD [RIP+0x8c603e0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendMessageA 000000007757fcd8 6 bytes {JMP QWORD [RIP+0x8ca0358]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000775803f0 6 bytes {JMP QWORD [RIP+0x8d7fc40]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077581f30 6 bytes {JMP QWORD [RIP+0x8f5e100]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077582294 6 bytes {JMP QWORD [RIP+0x8b9dd9c]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077583464 6 bytes {JMP QWORD [RIP+0x8c7cbcc]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077585c34 6 bytes {JMP QWORD [RIP+0x8bfa3fc]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000775871e9 5 bytes {JMP QWORD [RIP+0x8bb8e48]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!GetKeyState 00000000775878c0 6 bytes {JMP QWORD [RIP+0x8e18770]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077588e28 6 bytes {JMP QWORD [RIP+0x8d37208]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077588f9c 6 bytes {JMP QWORD [RIP+0x8cf7094]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!PostMessageW 00000000775892d4 6 bytes {JMP QWORD [RIP+0x8c36d5c]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendMessageW 000000007758a800 6 bytes {JMP QWORD [RIP+0x8cb5830]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000077590bf8 6 bytes {JMP QWORD [RIP+0x8daf438]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!GetClipboardData 0000000077591584 6 bytes {JMP QWORD [RIP+0x8eeeaac]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000077592360 6 bytes {JMP QWORD [RIP+0x8eadcd0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000077595508 6 bytes {JMP QWORD [RIP+0x8d4ab28]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!mouse_event 00000000775962c4 6 bytes {JMP QWORD [RIP+0x8b49d6c]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000775991a0 6 bytes {JMP QWORD [RIP+0x8de6e90]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000775992e0 6 bytes {JMP QWORD [RIP+0x8cc6d50]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077599320 6 bytes {JMP QWORD [RIP+0x8b66d10]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendInput 00000000775993d0 6 bytes {JMP QWORD [RIP+0x8dc6c60]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!BlockInput 000000007759b430 6 bytes {JMP QWORD [RIP+0x8ec4c00]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775c16e0 6 bytes {JMP QWORD [RIP+0x8f5e950]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!keybd_event 00000000775e4474 6 bytes {JMP QWORD [RIP+0x8adbbbc]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775ecc58 6 bytes {JMP QWORD [RIP+0x8d333d8]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775edec8 6 bytes {JMP QWORD [RIP+0x8cb2168]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x5dcc0]} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x7da98]} .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007796fa60 5 bytes JMP 0000000100030600 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007796faf8 5 bytes JMP 0000000100030804 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 5 bytes JMP 0000000100030c0c .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e0000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e0000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70e6000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70e6000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70dd000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70dd000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70e9000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70e9000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7102000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7102000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007796ffd8 5 bytes JMP 0000000100030a08 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 70ff000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 70ff000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e3000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e3000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d1000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d1000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7105000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7105000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f2000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f2000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70da000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70da000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d4000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d4000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70ef000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70ef000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70d7000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70d7000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779718c0 5 bytes JMP 0000000100030e10 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70ec000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70ec000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 70fc000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 70fc000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70f9000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70f9000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007798c0a2 5 bytes JMP 00000001000301f8 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 5 bytes JMP 00000001000303fc .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719b000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7198000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 718f000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719e000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 715f000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7153000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 714d000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 7147000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7114000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7114000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 5 bytes JMP 00000001001c01f8 .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 7159000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 710e000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 710e000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 712c000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7120000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7120000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143907 5 bytes JMP 00000001001c03fc .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 715c000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 7156000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7123000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7123000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710b000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 7129000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 712f000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 712f000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 5 bytes JMP 00000001001c0600 .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 711d000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 711d000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 7138000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 5 bytes JMP 00000001001c0804 .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7141000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7135000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7150000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7162000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714a000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7111000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076160efc 5 bytes JMP 00000001001c0a08 .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713b000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7132000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7132000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 7117000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 7108000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7171000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7174000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7144000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 713e000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711a000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711a000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 7126000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 7126000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7183000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7180000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718c000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7186000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7177000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717d000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 7189000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717a000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7195000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7192000a .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076105181 5 bytes JMP 00000001001d1014 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076105254 5 bytes JMP 00000001001d0804 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000761053d5 5 bytes JMP 00000001001d0a08 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000761054c2 5 bytes JMP 00000001001d0c0c .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000761055e2 5 bytes JMP 00000001001d0e10 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007610567c 5 bytes JMP 00000001001d01f8 .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007610589f 5 bytes JMP 00000001001d03fc .text C:\Windows\vVX3000.exe[3412] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076105a22 5 bytes JMP 00000001001d0600 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 5 bytes JMP 00000001002f075c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777a4a20 5 bytes JMP 00000001002f03a4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 5 bytes JMP 00000001002f0b14 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777c0090 5 bytes JMP 00000001002f0ecc .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 5 bytes JMP 00000001002f163c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8f4fe50]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8f0fe10]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f6fd70]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8eefce0]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8ddfca0]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777c03b0 5 bytes JMP 00000001002f1284 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dffc50]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8f2fc30]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8fefa40]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8dbf930]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e8f860]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f8f710]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8fcf700]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8eaf390]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8faf300]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777c13e0 5 bytes JMP 00000001002f19f4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8ecea90]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8e1ea10]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8e3e990]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c54c60]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8c01880]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8ba7900]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 9d806c98 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 5 bytes JMP 00000001003a075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777a4a20 5 bytes JMP 00000001003a03a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 5 bytes JMP 00000001003a0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777c0090 5 bytes JMP 00000001003a0ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 5 bytes JMP 00000001003a163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8f4fe50]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8f0fe10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f6fd70]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8eefce0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8ddfca0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777c03b0 5 bytes JMP 00000001003a1284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dffc50]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8f2fc30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8fefa40]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8dbf930]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e8f860]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f8f710]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8fcf700]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8eaf390]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8faf300]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777c13e0 5 bytes JMP 00000001003a19f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8ecea90]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8e1ea10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8e3e990]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c54c60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8c01880]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8ba7900]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP d2e .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 5 bytes JMP 000000010015075c .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777a4a20 5 bytes JMP 00000001001503a4 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 5 bytes JMP 0000000100150b14 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777c0090 5 bytes JMP 0000000100150ecc .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 5 bytes JMP 000000010015163c .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8f4fe50]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8f0fe10]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f6fd70]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8eefce0]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8ddfca0]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777c03b0 5 bytes JMP 0000000100151284 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dffc50]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8f2fc30]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8fefa40]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8dbf930]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e8f860]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f8f710]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8fcf700]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8eaf390]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8faf300]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777c13e0 5 bytes JMP 00000001001519f4 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8ecea90]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8e1ea10]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8e3e990]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c54c60]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8c01880]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8ba7900]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 0 .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\SearchProtocolHost.exe[3280] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 5 bytes JMP 00000001001e075c .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777a4a20 5 bytes JMP 00000001001e03a4 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 5 bytes JMP 00000001001e0b14 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777c0090 5 bytes JMP 00000001001e0ecc .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 5 bytes JMP 00000001001e163c .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8f4fe50]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8f0fe10]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f6fd70]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8eefce0]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8ddfca0]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777c03b0 5 bytes JMP 00000001001e1284 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dffc50]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8f2fc30]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8fefa40]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8dbf930]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e8f860]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f8f710]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8fcf700]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8eaf390]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8faf300]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777c13e0 5 bytes JMP 00000001001e19f4 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8ecea90]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8e1ea10]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8e3e990]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c54c60]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8c01880]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8ba7900]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\System32\svchost.exe[4040] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP d2e .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[4040] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[4040] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff9ea1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feffa0fa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes JMP c773 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0x128c80]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0x1423b8]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes CALL 0 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes JMP 0 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xe8de04]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0xeadc18]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0xec8c80]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xe669cc]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0xf044ec]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0xee23b8]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xe8de04]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0xeadc18]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0xec8c80]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xe669cc]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0xf044ec]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0xee23b8]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 5 bytes JMP 000000010017075c .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777a4a20 5 bytes JMP 00000001001703a4 .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 5 bytes JMP 0000000100170b14 .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777c0090 5 bytes JMP 0000000100170ecc .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 5 bytes JMP 000000010017163c .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8f4fe50]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8f0fe10]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f6fd70]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8eefce0]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8ddfca0]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777c03b0 5 bytes JMP 0000000100171284 .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dffc50]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8f2fc30]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8fefa40]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8dbf930]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e8f860]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f8f710]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8fcf700]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8eaf390]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8faf300]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777c13e0 5 bytes JMP 00000001001719f4 .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8ecea90]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8e1ea10]} .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8e3e990]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c54c60]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8c01880]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Windows\explorer.exe[4388] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8ba7900]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Windows\explorer.exe[4388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\explorer.exe[4388] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xe8de04]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0xeadc18]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0xec8c80]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes JMP d2e .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xe669cc]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0xf044ec]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0xee23b8]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077577640 6 bytes {JMP QWORD [RIP+0x8ea89f0]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077579554 6 bytes {JMP QWORD [RIP+0x8f86adc]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetParent 0000000077579870 6 bytes {JMP QWORD [RIP+0x8ec67c0]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!UnhookWinEvent 00000000775798f0 5 bytes JMP 000000010026075c .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetWindowLongA 000000007757c044 6 bytes {JMP QWORD [RIP+0x8c23fec]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!PostMessageA 000000007757ca54 6 bytes {JMP QWORD [RIP+0x8c635dc]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!EnableWindow 000000007757d0f0 6 bytes {JMP QWORD [RIP+0x8fc2f40]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!MoveWindow 000000007757d120 6 bytes {JMP QWORD [RIP+0x8ee2f10]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007757f0c4 6 bytes {JMP QWORD [RIP+0x8e80f6c]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007757f690 6 bytes {JMP QWORD [RIP+0x8f609a0]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007757fc50 6 bytes {JMP QWORD [RIP+0x8ca03e0]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendMessageA 000000007757fcd8 6 bytes {JMP QWORD [RIP+0x8ce0358]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000000007757fe60 5 bytes JMP 0000000100261284 .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000775803f0 6 bytes {JMP QWORD [RIP+0x8dbfc40]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077581f30 6 bytes {JMP QWORD [RIP+0x8f9e100]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077582294 2 bytes JMP 0000000100260ecc .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 3 0000000077582297 2 bytes [CD, 88] .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077583464 6 bytes {JMP QWORD [RIP+0x8cbcbcc]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077585c34 6 bytes {JMP QWORD [RIP+0x8c3a3fc]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000775871e8 5 bytes JMP 00000001002603a4 .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!GetKeyState 00000000775878c0 6 bytes {JMP QWORD [RIP+0x8e58770]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077588e28 6 bytes {JMP QWORD [RIP+0x8d77208]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077588f9c 6 bytes {JMP QWORD [RIP+0x8d37094]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!PostMessageW 00000000775892d4 6 bytes {JMP QWORD [RIP+0x8c76d5c]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendMessageW 000000007758a800 6 bytes {JMP QWORD [RIP+0x8cf5830]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000077590bf8 6 bytes {JMP QWORD [RIP+0x8def438]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!GetClipboardData 0000000077591584 6 bytes {JMP QWORD [RIP+0x8f2eaac]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000077592360 6 bytes {JMP QWORD [RIP+0x8eedcd0]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000077595508 6 bytes {JMP QWORD [RIP+0x8d8ab28]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!mouse_event 00000000775962c4 6 bytes {JMP QWORD [RIP+0x8b59d6c]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000775991a0 6 bytes {JMP QWORD [RIP+0x8e26e90]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000775992e0 6 bytes {JMP QWORD [RIP+0x8d06d50]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077599320 5 bytes JMP 0000000100260b14 .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendInput 00000000775993d0 6 bytes {JMP QWORD [RIP+0x8e06c60]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!BlockInput 000000007759b430 6 bytes {JMP QWORD [RIP+0x8f04c00]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775c16e0 6 bytes {JMP QWORD [RIP+0x8f9e950]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!keybd_event 00000000775e4474 6 bytes {JMP QWORD [RIP+0x8aebbbc]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775ecc58 6 bytes {JMP QWORD [RIP+0x8d733d8]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775edec8 6 bytes {JMP QWORD [RIP+0x8cf2168]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x5dcc0]} .text C:\Windows\explorer.exe[4388] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes JMP 4e40c3b .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 5 bytes JMP 000000010033075c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777a4a20 5 bytes JMP 00000001003303a4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 5 bytes JMP 0000000100330b14 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777c0090 5 bytes JMP 0000000100330ecc .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 5 bytes JMP 000000010033163c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes {JMP QWORD [RIP+0x8f4fe50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes {JMP QWORD [RIP+0x8f0fe10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes {JMP QWORD [RIP+0x8f6fd70]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes {JMP QWORD [RIP+0x8eefce0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes {JMP QWORD [RIP+0x8ddfca0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777c03b0 5 bytes JMP 0000000100331284 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dffc50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes {JMP QWORD [RIP+0x8f2fc30]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8fefa40]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes {JMP QWORD [RIP+0x8dbf930]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes {JMP QWORD [RIP+0x8e8f860]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes {JMP QWORD [RIP+0x8f8f710]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes {JMP QWORD [RIP+0x8fcf700]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes {JMP QWORD [RIP+0x8eaf390]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes {JMP QWORD [RIP+0x8faf300]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777c13e0 5 bytes JMP 00000001003319f4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes {JMP QWORD [RIP+0x8ecea90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes {JMP QWORD [RIP+0x8e1ea10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes {JMP QWORD [RIP+0x8e3e990]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes {JMP QWORD [RIP+0x8c54c60]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007746e7b0 6 bytes {JMP QWORD [RIP+0x8c01880]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000774e8730 6 bytes {JMP QWORD [RIP+0x8ba7900]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0x10dc18]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0x1644ec]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792fd0 5 bytes JMP 000000010047075c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777a4a20 5 bytes JMP 00000001004703a4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bffa0 6 bytes {JMP QWORD [RIP+0x8860090]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777c0030 5 bytes JMP 0000000100470b14 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777c0090 5 bytes JMP 0000000100470ecc .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777c0170 5 bytes JMP 000000010047163c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777c01e0 6 bytes JMP 650074 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777c0220 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777c02c0 6 bytes JMP 630065 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777c0350 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777c0390 6 bytes JMP 750142 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777c03b0 5 bytes JMP 0000000100471284 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777c03e0 6 bytes {JMP QWORD [RIP+0x8dffc50]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777c0400 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777c05f0 6 bytes {JMP QWORD [RIP+0x8fefa40]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777c0700 6 bytes JMP 630144 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777c07d0 6 bytes JMP 74006f .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777c0920 6 bytes JMP 33 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777c0930 6 bytes JMP 6f0020 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777c0ca0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777c0d30 6 bytes JMP 720065 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777c13e0 5 bytes JMP 00000001004719f4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777c15a0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777c1620 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777c16a0 6 bytes JMP 64 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007745b3d0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\KERNEL32.dll!CreateProcessW 000000007746e7b0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774af1bd 1 byte [62] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000774e8730 6 bytes JMP 690067 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd96a4c8 3 bytes [42, 5B, 06] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd974920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe03222c 6 bytes {JMP QWORD [RIP+0xe8de04]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe032418 6 bytes {JMP QWORD [RIP+0xeadc18]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe0373b0 6 bytes {JMP QWORD [RIP+0xec8c80]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe038258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe038378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe039664 6 bytes {JMP QWORD [RIP+0xe669cc]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe03bb44 6 bytes {JMP QWORD [RIP+0xf044ec]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe03dc78 6 bytes {JMP QWORD [RIP+0xee23b8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefd532370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefd532598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007796fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007796faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 7095000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 7095000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 709b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 709b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 7092000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 7092000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 709e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 709e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007796ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 7098000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 7098000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 7086000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 7086000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 708f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 708f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 7089000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 7089000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 708c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 708c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779718c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 70b1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 70b1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70ae000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70ae000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007798c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 717d000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 717a000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 714f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 7155000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 7152000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 712d000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7121000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 711b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 7115000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 7127000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 70e7000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 70db000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 70db000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143907 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 712a000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 7124000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 70de000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 70de000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 70c0000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 70e4000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 7106000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 710f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7103000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 711e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7130000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 7118000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 70c6000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076160efc 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 7109000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7100000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7100000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 70cc000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 70bd000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 713f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7112000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 710c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076105181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076105254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000761053d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000761054c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000761055e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007610567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007610589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076105a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077681401 2 bytes JMP 7737eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077681419 2 bytes JMP 7738b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077681431 2 bytes JMP 77408609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007768144a 2 bytes CALL 77361dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000776814dd 2 bytes JMP 77407efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000776814f5 2 bytes JMP 774080d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007768150d 2 bytes JMP 77407df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077681525 2 bytes JMP 774081c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007768153d 2 bytes JMP 7737f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077681555 2 bytes JMP 7738b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007768156d 2 bytes JMP 774086c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077681585 2 bytes JMP 77408222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007768159d 2 bytes JMP 77407db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000776815b5 2 bytes JMP 7737f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000776815cd 2 bytes JMP 7738b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000776816b2 2 bytes JMP 77408584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000776816bd 2 bytes JMP 77407d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes [DB, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70c7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70c7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70cd000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70cd000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes [C3, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70d0000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70d0000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes [E7, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 70e5000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 70e5000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70ca000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70ca000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70b8000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70b8000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 70eb000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 70eb000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes [D8, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes [C0, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70bb000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70bb000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes [D5, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes [BD, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes [D2, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes [E1, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes [DE, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7154000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 713e000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7138000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 7132000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes [F9, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 715f000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 7144000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 70f4000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 70f4000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7106000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7106000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7151000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes [08, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes {JMP QWORD [RIP+0x70f0001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 710f000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes [14, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes [02, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes {JMP QWORD [RIP+0x7122001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 7162000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 713b000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes {JMP QWORD [RIP+0x70f6001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes {JMP QWORD [RIP+0x7125001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes [17, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes {JMP QWORD [RIP+0x70fc001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes {JMP QWORD [RIP+0x70ed001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes {JMP QWORD [RIP+0x716a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes {JMP QWORD [RIP+0x7128001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes [FF, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes [0B, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 717e000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 717b000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes {JMP QWORD [RIP+0x716d001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes {JMP QWORD [RIP+0x7170001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007796fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007796faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7102000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007796ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7105000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779718c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007798c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076105181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076105254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000761053d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000761054c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000761055e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007610567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007610589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076105a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7183000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7177000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 715f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7114000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 7159000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 710e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 712c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7120000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143907 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 715c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 7156000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7123000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 7129000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 712f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 711d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 7138000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7141000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7135000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7162000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7111000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076160efc 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7132000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 7108000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7174000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7144000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 713e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 7126000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007796fa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007796faf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007796ffd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779718c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007798c0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7198000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 718f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 715f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7153000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 714d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 7147000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 7159000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143907 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 715c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 7156000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7150000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7162000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076160efc 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7174000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7183000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7180000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7186000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7177000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 7189000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7195000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7192000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076105181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076105254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000761053d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000761054c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000761055e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007610567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007610589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076105a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077681401 2 bytes JMP 7737eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077681419 2 bytes JMP 7738b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077681431 2 bytes JMP 77408609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007768144a 2 bytes CALL 77361dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000776814dd 2 bytes JMP 77407efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000776814f5 2 bytes JMP 774080d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007768150d 2 bytes JMP 77407df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077681525 2 bytes JMP 774081c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007768153d 2 bytes JMP 7737f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077681555 2 bytes JMP 7738b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007768156d 2 bytes JMP 774086c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077681585 2 bytes JMP 77408222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007768159d 2 bytes JMP 77407db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000776815b5 2 bytes JMP 7737f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000776815cd 2 bytes JMP 7738b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000776816b2 2 bytes JMP 77408584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000776816bd 2 bytes JMP 77407d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 00000000cc24c6e1 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7105000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7105000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 7102000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 7102000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7108000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7108000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70de000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70de000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70db000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70db000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7162000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7156000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7150000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 714a000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7117000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7117000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7168000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715c000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 7111000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 5 0000000076140fa4 1 byte [71] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 712f000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7123000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7123000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 715f000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 7159000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7126000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7126000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 712c000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7132000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7132000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7120000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7120000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 713b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7144000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7138000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7153000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7165000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714d000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7114000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7135000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7135000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 711a000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 710b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7171000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7174000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7147000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7141000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711d000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711d000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 7129000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 7129000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7177000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5868] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f980 3 bytes JMP 71af000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f984 2 bytes JMP 71af000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fc50 3 bytes JMP 70fa000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fc54 2 bytes JMP 70fa000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd04 3 bytes JMP 70e5000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd08 2 bytes JMP 70e5000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fd68 3 bytes JMP 70eb000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fd6c 2 bytes JMP 70eb000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fe60 3 bytes JMP 70e2000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fe64 2 bytes JMP 70e2000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ff44 3 bytes JMP 70ee000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ff48 2 bytes JMP 70ee000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007796ffa4 3 bytes JMP 7106000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007796ffa8 2 bytes JMP 7106000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970024 3 bytes JMP 7103000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970028 2 bytes JMP 7103000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077970054 3 bytes JMP 70e8000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077970058 2 bytes JMP 70e8000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077970358 3 bytes JMP 70d6000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007797035c 2 bytes JMP 70d6000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779704f0 3 bytes JMP 7109000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779704f4 2 bytes JMP 7109000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077970634 3 bytes JMP 70f7000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077970638 2 bytes JMP 70f7000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797082c 3 bytes JMP 70df000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077970830 2 bytes JMP 70df000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077970844 3 bytes JMP 70d9000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077970848 2 bytes JMP 70d9000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970d94 3 bytes JMP 70f4000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970d98 2 bytes JMP 70f4000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970e78 3 bytes JMP 70dc000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970e7c 2 bytes JMP 70dc000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971b84 3 bytes JMP 70f1000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971b88 2 bytes JMP 70f1000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971c54 3 bytes JMP 7100000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971c58 2 bytes JMP 7100000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d2c 3 bytes JMP 70fd000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971d30 2 bytes JMP 70fd000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991067 6 bytes JMP 71a8000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007736102d 6 bytes JMP 719c000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077361062 6 bytes JMP 7199000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007738126f 6 bytes JMP 7190000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007738b0c5 1 byte [62] .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c0eae7 6 bytes JMP 719f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075c11d26 4 bytes CALL 71ac0000 .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076138b7c 6 bytes JMP 7163000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076138e6e 6 bytes JMP 7157000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007613cd35 6 bytes JMP 7151000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007613d0da 6 bytes JMP 714b000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007613d277 3 bytes JMP 7118000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007613d27b 2 bytes JMP 7118000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613f0e6 6 bytes JMP 7169000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076140f14 6 bytes JMP 715d000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076140f9f 3 bytes JMP 7112000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000076140fa3 2 bytes JMP 7112000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076142902 6 bytes JMP 7130000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761435fb 3 bytes JMP 7124000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761435ff 2 bytes JMP 7124000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076143cbf 6 bytes JMP 7160000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076143d76 6 bytes JMP 715a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetParent 0000000076143f14 3 bytes JMP 7127000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076143f18 2 bytes JMP 7127000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076143f54 6 bytes JMP 710f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076144858 6 bytes JMP 712d000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007614492a 3 bytes JMP 7133000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007614492e 2 bytes JMP 7133000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076148364 6 bytes JMP 716f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007614b7e6 3 bytes JMP 7121000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007614b7ea 2 bytes JMP 7121000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007614c991 6 bytes JMP 713c000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761506b3 6 bytes JMP 716c000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007615090f 6 bytes JMP 7145000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076152959 6 bytes JMP 7139000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007615eef4 6 bytes JMP 7154000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007615ef4a 6 bytes JMP 7166000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007615f422 6 bytes JMP 714e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007615f9b0 6 bytes JMP 7115000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076160f60 6 bytes JMP 713f000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendInput 000000007616195e 3 bytes JMP 7136000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076161962 2 bytes JMP 7136000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076179f3b 6 bytes JMP 711b000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761815ef 6 bytes JMP 710c000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!mouse_event 000000007619040b 6 bytes JMP 7172000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!keybd_event 000000007619044f 6 bytes JMP 7175000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076196e8c 6 bytes JMP 7148000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076196eed 6 bytes JMP 7142000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076197f67 3 bytes JMP 711e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076197f6b 2 bytes JMP 711e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076198a7b 3 bytes JMP 712a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076198a7f 2 bytes JMP 712a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000776d5876 6 bytes JMP 7184000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000776d5ea6 6 bytes JMP 7181000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000776d95f4 6 bytes JMP 718d000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000776db8d0 6 bytes JMP 7187000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000776dba55 6 bytes JMP 7178000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000776dc74f 6 bytes JMP 717e000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000776de45d 6 bytes JMP 718a000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077704636 6 bytes JMP 717b000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000760a14fd 6 bytes JMP 7196000a .text C:\Users\Szarik\Downloads\gmer\gmer.exe[5172] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000760a42a1 6 bytes JMP 7193000a ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\SearchIndexer.exe[3748] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\system32\wmp.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3912] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\System32\svchost.exe[4040] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\svchost.exe[4040] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\svchost.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[4040] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\System32\svchost.exe[4040] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[4040] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4260] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\DINPUT8.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\SmartTechnology\Software\ProfilerU.exe[4296] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80190000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Program Files\SmartTechnology\Software\SaiMfd.exe[4316] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80130000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\explorer.exe[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\explorer.exe[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\explorer.exe[4388] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Program Files\COMODO\GeekBuddy\QtCore4.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[4800] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5092] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5092] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5092] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5092] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Program Files\COMODO\GeekBuddy\QtCore4.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5100] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2720] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2720] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2720] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80180000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2720] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\System32\Drivers\aswrdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 133 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1159691 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x6C 0x56 0xBB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x67 0xE9 0xE6 0xC4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0xD3 0xED 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x58 0xE3 0x09 0x24 ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 133 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1159691 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x6C 0x56 0xBB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x67 0xE9 0xE6 0xC4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0xD3 0xED 0x18 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x58 0xE3 0x09 0x24 ... ---- EOF - GMER 2.1 ----