GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-07 16:08:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST500LM0 rev.2AR1 465,76GB Running: gmer.exe; Driver: C:\Users\GRAYNK~1\AppData\Local\Temp\uxdyraow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031ac000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031ac02f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\services.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\services.exe[648] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 00000000779d98e0 12 bytes JMP 000000016fff01b8 .text C:\windows\system32\services.exe[648] C:\windows\system32\kernel32.dll!CreateProcessW 00000000779f0650 12 bytes JMP 000000016fff0148 .text C:\windows\system32\services.exe[648] C:\windows\system32\kernel32.dll!CreateProcessA 0000000077a6acf0 1 byte JMP 000000016fff0180 .text C:\windows\system32\services.exe[648] C:\windows\system32\kernel32.dll!CreateProcessA + 2 0000000077a6acf2 5 bytes {JMP 0xfffffffff8585490} .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\lsass.exe[672] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffd1a6f0 1 byte JMP 000007fffd900180 .text C:\windows\system32\lsass.exe[672] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007feffd1a6f2 5 bytes {JMP 0xfffffffffdbe5a90} .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\svchost.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\svchost.exe[392] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\System32\svchost.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\System32\svchost.exe[484] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\System32\svchost.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\System32\svchost.exe[744] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 00000000779d98e0 12 bytes JMP 000000016fff01b8 .text C:\windows\System32\svchost.exe[744] C:\windows\system32\kernel32.dll!CreateProcessW 00000000779f0650 12 bytes JMP 000000016fff0148 .text C:\windows\System32\svchost.exe[744] C:\windows\system32\kernel32.dll!CreateProcessA 0000000077a6acf0 1 byte JMP 000000016fff0180 .text C:\windows\System32\svchost.exe[744] C:\windows\system32\kernel32.dll!CreateProcessA + 2 0000000077a6acf2 5 bytes {JMP 0xfffffffff8585490} .text C:\windows\System32\svchost.exe[744] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\svchost.exe[1012] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\svchost.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\svchost.exe[1044] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 00000000779d98e0 12 bytes JMP 000000016fff01b8 .text C:\windows\system32\svchost.exe[1044] C:\windows\system32\kernel32.dll!CreateProcessW 00000000779f0650 12 bytes JMP 000000016fff0148 .text C:\windows\system32\svchost.exe[1044] C:\windows\system32\kernel32.dll!CreateProcessA 0000000077a6acf0 1 byte JMP 000000016fff0180 .text C:\windows\system32\svchost.exe[1044] C:\windows\system32\kernel32.dll!CreateProcessA + 2 0000000077a6acf2 5 bytes {JMP 0xfffffffff8585490} .text C:\windows\system32\svchost.exe[1044] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\system32\svchost.exe[1044] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde73e80 5 bytes JMP 000007fffd9001b8 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\svchost.exe[1524] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!DeleteDC 000007feffe922cc 5 bytes JMP 000007fffd900260 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!BitBlt 000007feffe924c0 5 bytes JMP 000007fffd900298 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!MaskBlt 000007feffe95bf0 5 bytes JMP 000007fffd9002d0 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!CreateDCW 000007feffe98398 9 bytes JMP 000007fffd9001f0 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!CreateDCA 000007feffe989d8 9 bytes JMP 000007fffd9001b8 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!GetPixel 000007feffe99344 5 bytes JMP 000007fffd900228 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!StretchBlt 000007feffe9b9f8 5 bytes JMP 000007fffd900340 .text C:\windows\system32\Dwm.exe[1696] C:\windows\system32\GDI32.dll!PlgBlt 000007feffe9c8e0 5 bytes JMP 000007fffd900308 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\Explorer.EXE[1752] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 00000000779d98e0 12 bytes JMP 000000016fff01b8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\kernel32.dll!CreateProcessW 00000000779f0650 12 bytes JMP 000000016fff0148 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\kernel32.dll!CreateProcessA 0000000077a6acf0 1 byte JMP 000000016fff0180 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\kernel32.dll!CreateProcessA + 2 0000000077a6acf2 5 bytes {JMP 0xfffffffff8585490} .text C:\windows\Explorer.EXE[1752] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!DeleteDC 000007feffe922cc 5 bytes JMP 000007fffd900260 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!BitBlt 000007feffe924c0 5 bytes JMP 000007fffd900298 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!MaskBlt 000007feffe95bf0 5 bytes JMP 000007fffd9002d0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!CreateDCW 000007feffe98398 9 bytes JMP 000007fffd9001f0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!CreateDCA 000007feffe989d8 9 bytes JMP 000007fffd9001b8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!GetPixel 000007feffe99344 5 bytes JMP 000007fffd900228 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!StretchBlt 000007feffe9b9f8 5 bytes JMP 000007fffd900340 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\GDI32.dll!PlgBlt 000007feffe9c8e0 5 bytes JMP 000007fffd900308 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!RegisterRawInputDevices 0000000077af6ef0 8 bytes JMP 000000016fff06f8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SystemParametersInfoA 0000000077af8184 7 bytes JMP 000000016fff0880 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SetParent 0000000077af8530 8 bytes JMP 000000016fff0730 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!PostMessageA 0000000077afa404 5 bytes JMP 000000016fff0308 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!EnableWindow 0000000077afaaa0 9 bytes JMP 000000016fff08f0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!MoveWindow 0000000077afaad0 8 bytes JMP 000000016fff0768 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!GetAsyncKeyState 0000000077afc720 5 bytes JMP 000000016fff06c0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!RegisterHotKey 0000000077afcd50 8 bytes JMP 000000016fff0848 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!PostThreadMessageA 0000000077afd2b0 5 bytes JMP 000000016fff0378 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendMessageA 0000000077afd338 5 bytes JMP 000000016fff03e8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendNotifyMessageW 0000000077afdc40 9 bytes JMP 000000016fff0570 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SystemParametersInfoW 0000000077aff510 7 bytes JMP 000000016fff08b8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SetWindowsHookExW 0000000077aff874 9 bytes JMP 000000016fff0298 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendMessageTimeoutW 0000000077affac0 9 bytes JMP 000000016fff0490 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000077b00b74 10 bytes JMP 000000016fff03b0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SetWinEventHook 0000000077b04d4c 5 bytes JMP 000000016fff02d0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!GetKeyState 0000000077b05010 5 bytes JMP 000000016fff0688 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000077b05438 7 bytes JMP 000000016fff0500 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendMessageW 0000000077b06b50 5 bytes JMP 000000016fff0420 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!PostMessageW 0000000077b076e4 7 bytes JMP 000000016fff0340 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendDlgItemMessageW 0000000077b0dd90 5 bytes JMP 000000016fff05e0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!GetClipboardData 0000000077b0e874 5 bytes JMP 000000016fff0810 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SetClipboardViewer 0000000077b0f780 8 bytes JMP 000000016fff07a0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendNotifyMessageA 0000000077b128e4 12 bytes JMP 000000016fff0538 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!mouse_event 0000000077b13894 7 bytes JMP 000000016fff0228 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077b18a10 8 bytes JMP 000000016fff0650 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077b18be0 12 bytes JMP 000000016fff0458 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077b18c20 12 bytes JMP 000000016fff0260 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendInput 0000000077b18cd0 8 bytes JMP 000000016fff0618 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!BlockInput 0000000077b1ad60 8 bytes JMP 000000016fff07d8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!ExitWindowsEx 0000000077b414e0 5 bytes JMP 000000016fff0928 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!keybd_event 0000000077b645a4 3 bytes JMP 000000016fff01f0 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!keybd_event + 4 0000000077b645a8 3 bytes [F8, CC, CC] .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendDlgItemMessageA 0000000077b6cc08 5 bytes JMP 000000016fff05a8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendMessageCallbackA 0000000077b6df18 3 bytes JMP 000000016fff04c8 .text C:\windows\Explorer.EXE[1752] C:\windows\system32\USER32.dll!SendMessageCallbackA + 4 0000000077b6df1c 3 bytes [F8, CC, CC] .text C:\windows\system32\taskhost.exe[1796] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1176] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[1636] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2364] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2456] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\SearchIndexer.exe[3076] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe[3164] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3296] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3436] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2608] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000010027d080 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000010028fac0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000010028dfa0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000010028ec30 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000010028c270 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000010028e640 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000010028ff20 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000010028fce0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000010028e2a0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000010028cc90 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000010028b520 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000010028f750 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000010028be90 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000010028c8f0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000010028f540 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000010028f0c0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000010028f300 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000010028c520 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000010028eec0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000100287df0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000010027d1a0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff8846bf19} .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000100284f30 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000100285ac0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[3944] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000100283a60 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!DeleteDC 000007feffe922cc 5 bytes JMP 000007fffd900260 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!BitBlt 000007feffe924c0 5 bytes JMP 000007fffd900298 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!MaskBlt 000007feffe95bf0 5 bytes JMP 000007fffd9002d0 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!CreateDCW 000007feffe98398 9 bytes JMP 000007fffd9001f0 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!CreateDCA 000007feffe989d8 9 bytes JMP 000007fffd9001b8 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!GetPixel 000007feffe99344 5 bytes JMP 000007fffd900228 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!StretchBlt 000007feffe9b9f8 5 bytes JMP 000007fffd900340 .text C:\windows\system32\igfxsrvc.exe[3216] C:\windows\system32\GDI32.dll!PlgBlt 000007feffe9c8e0 5 bytes JMP 000007fffd900308 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\svchost.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\svchost.exe[4888] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5012] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007615f784 5 bytes JMP 000000011001d1d0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!RegisterRawInputDevices 0000000077af6ef0 8 bytes JMP 000000016fff06f8 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SystemParametersInfoA 0000000077af8184 7 bytes JMP 000000016fff0880 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SetParent 0000000077af8530 8 bytes JMP 000000016fff0730 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!PostMessageA 0000000077afa404 5 bytes JMP 000000016fff0308 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!EnableWindow 0000000077afaaa0 9 bytes JMP 000000016fff08f0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!MoveWindow 0000000077afaad0 8 bytes JMP 000000016fff0768 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!GetAsyncKeyState 0000000077afc720 5 bytes JMP 000000016fff06c0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!RegisterHotKey 0000000077afcd50 8 bytes JMP 000000016fff0848 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!PostThreadMessageA 0000000077afd2b0 5 bytes JMP 000000016fff0378 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendMessageA 0000000077afd338 5 bytes JMP 000000016fff03e8 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendNotifyMessageW 0000000077afdc40 9 bytes JMP 000000016fff0570 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SystemParametersInfoW 0000000077aff510 7 bytes JMP 000000016fff08b8 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SetWindowsHookExW 0000000077aff874 9 bytes JMP 000000016fff0298 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendMessageTimeoutW 0000000077affac0 9 bytes JMP 000000016fff0490 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000077b00b74 10 bytes JMP 000000016fff03b0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SetWinEventHook 0000000077b04d4c 5 bytes JMP 000000016fff02d0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!GetKeyState 0000000077b05010 5 bytes JMP 000000016fff0688 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000077b05438 7 bytes JMP 000000016fff0500 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendMessageW 0000000077b06b50 5 bytes JMP 000000016fff0420 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!PostMessageW 0000000077b076e4 7 bytes JMP 000000016fff0340 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendDlgItemMessageW 0000000077b0dd90 5 bytes JMP 000000016fff05e0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!GetClipboardData 0000000077b0e874 5 bytes JMP 000000016fff0810 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SetClipboardViewer 0000000077b0f780 8 bytes JMP 000000016fff07a0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendNotifyMessageA 0000000077b128e4 12 bytes JMP 000000016fff0538 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!mouse_event 0000000077b13894 7 bytes JMP 000000016fff0228 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077b18a10 8 bytes JMP 000000016fff0650 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077b18be0 12 bytes JMP 000000016fff0458 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077b18c20 12 bytes JMP 000000016fff0260 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendInput 0000000077b18cd0 8 bytes JMP 000000016fff0618 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!BlockInput 0000000077b1ad60 8 bytes JMP 000000016fff07d8 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!ExitWindowsEx 0000000077b414e0 5 bytes JMP 000000016fff0928 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!keybd_event 0000000077b645a4 3 bytes JMP 000000016fff01f0 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!keybd_event + 4 0000000077b645a8 3 bytes [F8, CC, CC] .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendDlgItemMessageA 0000000077b6cc08 5 bytes JMP 000000016fff05a8 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendMessageCallbackA 0000000077b6df18 3 bytes JMP 000000016fff04c8 .text C:\windows\System32\svchost.exe[4060] C:\windows\system32\USER32.dll!SendMessageCallbackA + 4 0000000077b6df1c 3 bytes [F8, CC, CC] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 00000001003bd080 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 00000001003cfac0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 00000001003cdfa0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 00000001003cec30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 00000001003cc270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 00000001003ce640 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 00000001003cff20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 00000001003cfce0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 00000001003ce2a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 00000001003ccc90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 00000001003cb520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 00000001003cf750 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 00000001003cbe90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 00000001003cc8f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 00000001003cf540 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 00000001003cf0c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 00000001003cf300 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 00000001003cc520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 00000001003ceec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 00000001003c7df0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 00000001003bd1a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff885abf19} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 00000001003c4f30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 00000001003c5ac0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4320] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 00000001003c3a60 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3032] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2960] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 00000000779d98e0 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2960] C:\windows\system32\kernel32.dll!CreateProcessW 00000000779f0650 12 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2960] C:\windows\system32\kernel32.dll!CreateProcessA 0000000077a6acf0 1 byte JMP 000000016fff0180 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2960] C:\windows\system32\kernel32.dll!CreateProcessA + 2 0000000077a6acf2 5 bytes {JMP 0xfffffffff8585490} .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c13b10 5 bytes JMP 000000016fff0110 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c17ac0 5 bytes JMP 000000016fff0d50 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077c413a0 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c41570 8 bytes JMP 000000016fff0a78 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c415e0 8 bytes JMP 000000016fff0c00 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c41620 8 bytes JMP 000000016fff0b90 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c416c0 8 bytes JMP 000000016fff0c38 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c41750 8 bytes JMP 000000016fff0b58 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c41790 8 bytes JMP 000000016fff0998 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c417e0 8 bytes JMP 000000016fff09d0 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c41800 8 bytes JMP 000000016fff0bc8 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c419f0 8 bytes JMP 000000016fff0d18 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c41b00 8 bytes JMP 000000016fff0960 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c41bd0 8 bytes JMP 000000016fff0ab0 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c41d20 8 bytes JMP 000000016fff0c70 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c41d30 8 bytes JMP 000000016fff0ce0 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c420a0 8 bytes JMP 000000016fff0ae8 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c42130 8 bytes JMP 000000016fff0ca8 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c429a0 8 bytes JMP 000000016fff0b20 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c42a20 8 bytes JMP 000000016fff0a08 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c42aa0 8 bytes JMP 000000016fff0a40 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!DeleteDC 000007feffe922cc 5 bytes JMP 000007fffd900260 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!BitBlt 000007feffe924c0 5 bytes JMP 000007fffd900298 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!MaskBlt 000007feffe95bf0 5 bytes JMP 000007fffd9002d0 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!CreateDCW 000007feffe98398 9 bytes JMP 000007fffd9001f0 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!CreateDCA 000007feffe989d8 9 bytes JMP 000007fffd9001b8 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!GetPixel 000007feffe99344 5 bytes JMP 000007fffd900228 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!StretchBlt 000007feffe9b9f8 5 bytes JMP 000007fffd900340 .text C:\windows\system32\AUDIODG.EXE[3196] C:\windows\System32\GDI32.dll!PlgBlt 000007feffe9c8e0 5 bytes JMP 000007fffd900308 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdba53c0 7 bytes JMP 000007fffd900148 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!DeleteDC 000007feffe922cc 5 bytes JMP 000007fffd900260 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!BitBlt 000007feffe924c0 5 bytes JMP 000007fffd900298 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!MaskBlt 000007feffe95bf0 5 bytes JMP 000007fffd9002d0 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!CreateDCW 000007feffe98398 9 bytes JMP 000007fffd9001f0 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!CreateDCA 000007feffe989d8 9 bytes JMP 000007fffd9001b8 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!GetPixel 000007feffe99344 5 bytes JMP 000007fffd900228 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!StretchBlt 000007feffe9b9f8 5 bytes JMP 000007fffd900340 .text C:\windows\system32\svchost.exe[5592] C:\windows\system32\GDI32.dll!PlgBlt 000007feffe9c8e0 5 bytes JMP 000007fffd900308 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077def9e0 5 bytes JMP 000000011001d080 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077defcb0 5 bytes JMP 000000011002fac0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077defd64 5 bytes JMP 000000011002dfa0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077defdc8 5 bytes JMP 000000011002ec30 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077defec0 5 bytes JMP 000000011002c270 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077deffa4 5 bytes JMP 000000011002e640 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077df0004 5 bytes JMP 000000011002ff20 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077df0084 5 bytes JMP 000000011002fce0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077df00b4 5 bytes JMP 000000011002e2a0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077df03b8 5 bytes JMP 000000011002cc90 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077df0550 5 bytes JMP 000000011002b520 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077df0694 5 bytes JMP 000000011002f750 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077df088c 5 bytes JMP 000000011002be90 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077df08a4 5 bytes JMP 000000011002c8f0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077df0df4 5 bytes JMP 000000011002f540 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077df0ed8 5 bytes JMP 000000011002f0c0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077df1be4 5 bytes JMP 000000011002f300 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077df1cb4 5 bytes JMP 000000011002c520 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077df1d8c 5 bytes JMP 000000011002eec0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e0c4dd 5 bytes JMP 0000000110027df0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e11287 1 byte JMP 000000011001d1a0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2 0000000077e11289 5 bytes {JMP 0xffffffff9820bf19} .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 0000000110024f30 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 0000000110025ac0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b9c9b5 5 bytes JMP 0000000110023a60 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007615f784 5 bytes JMP 000000011001d1d0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076008bff 5 bytes JMP 000000011001b640 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000760090d3 7 bytes JMP 000000011001c3d0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076009679 5 bytes JMP 000000011001b100 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000760097d2 5 bytes JMP 000000011001ab80 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007600ee09 5 bytes JMP 000000011001c0c0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007600efc9 3 bytes JMP 00000001100180a0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007600efcd 1 byte [9A] .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostMessageW 00000000760112a5 5 bytes JMP 000000011001bb80 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetKeyState 000000007601291f 5 bytes JMP 0000000110019330 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetParent 0000000076012d64 1 byte JMP 00000001100188e0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetParent + 2 0000000076012d66 1 byte [5B] .text ... * 2 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076012da4 5 bytes JMP 0000000110017e00 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076013698 3 bytes JMP 0000000110018b80 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!MoveWindow + 4 000000007601369c 1 byte [9A] .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076013baa 5 bytes JMP 000000011001be20 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076013c61 5 bytes JMP 000000011001b8e0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageA 000000007601612e 5 bytes JMP 000000011001b3a0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076016c30 7 bytes JMP 000000011001c5f0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076017603 5 bytes JMP 000000011001c810 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076017668 5 bytes JMP 000000011001a0c0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000760176e0 5 bytes JMP 000000011001a600 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007601781f 5 bytes JMP 000000011001ae40 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007601835c 5 bytes JMP 000000011001ca80 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetClipboardViewer 000000007601c4b6 5 bytes JMP 00000001100186e0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007602c112 5 bytes JMP 0000000110019e10 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007602d0f5 5 bytes JMP 0000000110019b60 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 000000007602eb96 5 bytes JMP 0000000110019080 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetKeyboardState 000000007602ec68 5 bytes JMP 00000001100195e0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendInput 000000007602ff4a 5 bytes JMP 0000000110019890 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076049f1d 5 bytes JMP 00000001100182d0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076051497 5 bytes JMP 0000000110017bf0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!mouse_event 000000007606027b 5 bytes JMP 0000000110029670 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!keybd_event 00000000760602bf 5 bytes JMP 0000000110029880 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076066cfc 5 bytes JMP 000000011001a8c0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076066d5d 5 bytes JMP 000000011001a360 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!BlockInput 0000000076067dd7 5 bytes JMP 00000001100184e0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000760688eb 5 bytes JMP 0000000110018e60 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!DeleteDC 0000000075f758b3 5 bytes JMP 0000000110028bc0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!BitBlt 0000000075f75ea6 5 bytes JMP 00000001100293e0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000075f77bcc 5 bytes JMP 0000000110029cc0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!StretchBlt 0000000075f7b895 5 bytes JMP 0000000110028c00 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!MaskBlt 0000000075f7c332 5 bytes JMP 0000000110029130 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!GetPixel 0000000075f7cbfb 5 bytes JMP 0000000110028990 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!CreateDCW 0000000075f7e743 5 bytes JMP 0000000110029bc0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000075fa4857 5 bytes JMP 0000000110028ea0 .text C:\Users\Grażynka\Downloads\gmer.exe[5140] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077502642 5 bytes JMP 0000000110024390 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\rundll32.exe [2740:3288] 00000000024251a0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{56296AD3-8955-48D2-9C1F-4EC82FF4C37C}\offreg.dll (*** suspicious ***) @ C:\windows\System32\svchost.exe [4060](2014-11-07 11:35:55) 000007fef8e50000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{C3E8466D-4BE1-4AC2-A033-6CE990C2C814}?\Device\{1C05EA3D-FEAF-4EE2-ACBA-A3DAFDB3F95A}?\Device\{DF5C5B4F-3F7A-469F-AB38-7FF238EBFEF7}?\Device\{C7A60D2D-9BCB-44B5-923E-A002EB82042A}?\Device\{CAFC4EE9-1748-46E0-A0FE-506DAF7DDB2C}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{C3E8466D-4BE1-4AC2-A033-6CE990C2C814}"?"{1C05EA3D-FEAF-4EE2-ACBA-A3DAFDB3F95A}"?"{DF5C5B4F-3F7A-469F-AB38-7FF238EBFEF7}"?"{C7A60D2D-9BCB-44B5-923E-A002EB82042A}"?"{CAFC4EE9-1748-46E0-A0FE-506DAF7DDB2C}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{C3E8466D-4BE1-4AC2-A033-6CE990C2C814}?\Device\TCPIP6TUNNEL_{1C05EA3D-FEAF-4EE2-ACBA-A3DAFDB3F95A}?\Device\TCPIP6TUNNEL_{DF5C5B4F-3F7A-469F-AB38-7FF238EBFEF7}?\Device\TCPIP6TUNNEL_{C7A60D2D-9BCB-44B5-923E-A002EB82042A}?\Device\TCPIP6TUNNEL_{CAFC4EE9-1748-46E0-A0FE-506DAF7DDB2C}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002454f1df46 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f59338f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b80305850a3d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca9710db474 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 17625 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002454f1df46 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f59338f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b80305850a3d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca9710db474 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----