GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-23 12:52:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006f SAMSUNG_ rev.DXT4 238,47GB Running: y8269lrj.exe; Driver: C:\Users\dkoloszc\AppData\Local\Temp\kwddipoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f3000 45 bytes [00, 00, 09, 02, 56, 61, 64, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031f302f 17 bytes [00, 2B, 6F, 07, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\DWRCS.EXE[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072311a22 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCS.EXE[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072311ad0 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCS.EXE[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072311b08 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCS.EXE[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072311bba 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCS.EXE[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072311bda 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCS.EXE[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Windows\SysWOW64\DWRCS.EXE[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenService.exe[2536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenService.exe[2536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff2c55c8 6 bytes JMP 640075 .text C:\Windows\system32\taskhost.exe[5024] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff2db85c 6 bytes {JMP QWORD [RIP+0xc47d4]} .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072311a22 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072311ad0 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072311b08 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072311bba 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072311bda 2 bytes [31, 72] .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Windows\SysWOW64\DWRCST.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\system32\Dwm.exe[4436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff2c55c8 6 bytes JMP 45a .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff2db85c 6 bytes {JMP QWORD [RIP+0xc47d4]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007fef6b45cc0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\msi.dll!MsiInstallProductA 000007fef6bc2ab0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\msi.dll!MsiInstallProductW 000007fef6bd1638 6 bytes JMP 690074 .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefd913030 6 bytes {JMP QWORD [RIP+0x11ad000]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd9145c1 5 bytes {JMP QWORD [RIP+0x114ba70]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\WS2_32.dll!listen 000007fefd918290 6 bytes {JMP QWORD [RIP+0x1187da0]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd93e0f0 6 bytes {JMP QWORD [RIP+0x1141f40]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaab7b34 6 bytes {JMP QWORD [RIP+0x884fc]} .text C:\Windows\Explorer.EXE[4448] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaac03c0 6 bytes {JMP QWORD [RIP+0x9fc70]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\DellTPad\Apoint.exe[5040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaab7b34 6 bytes {JMP QWORD [RIP+0x984fc]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2100] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaac03c0 6 bytes {JMP QWORD [RIP+0xafc70]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaab7b34 6 bytes {JMP QWORD [RIP+0x984fc]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4420] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaac03c0 6 bytes {JMP QWORD [RIP+0xafc70]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\DellTPad\ApMsgFwd.exe[4984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe[5132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 9000027 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff2c55c8 6 bytes {JMP QWORD [RIP+0xfaa68]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff2db85c 6 bytes {JMP QWORD [RIP+0xc47d4]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaab7b34 6 bytes {JMP QWORD [RIP+0x984fc]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5152] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaac03c0 6 bytes {JMP QWORD [RIP+0xafc70]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\System32\igfxtray.exe[5236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\System32\hkcmd.exe[5280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\system32\igfxsrvc.exe[5296] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\System32\igfxpers.exe[5392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\DellTPad\Apntex.exe[5444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\DellTPad\HidFind.exe[5460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 7187000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 7187000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 717e000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 717e000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7181000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7181000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7184000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7184000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 718d000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 718d000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718a000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718a000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717b000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717b000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 7178000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 7178000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7190000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7193000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719c000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7196000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7199000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 719f000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a2000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a2000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71a8000a .text C:\Program Files (x86)\RSUPPORT\MobizenService\MobizenTray.exe[5488] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a5000a .text C:\Windows\system32\conhost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\system32\conhost.exe[5520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefd913030 6 bytes {JMP QWORD [RIP+0x11ad000]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd9145c1 5 bytes {JMP QWORD [RIP+0x114ba70]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\WS2_32.dll!listen 000007fefd918290 6 bytes {JMP QWORD [RIP+0x1187da0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd93e0f0 6 bytes {JMP QWORD [RIP+0x1141f40]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaab7b34 6 bytes {JMP QWORD [RIP+0x984fc]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5536] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaac03c0 6 bytes JMP 1ae40000 .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[5596] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 9000027 .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefd913030 6 bytes {JMP QWORD [RIP+0x16dd000]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd9145c1 5 bytes {JMP QWORD [RIP+0x167ba70]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\system32\WS2_32.dll!listen 000007fefd918290 6 bytes {JMP QWORD [RIP+0x16b7da0]} .text C:\Windows\System32\rundll32.exe[5644] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd93e0f0 6 bytes {JMP QWORD [RIP+0x1671f40]} .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 717e000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 717e000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7175000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7175000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7178000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7178000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 717b000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 717b000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7184000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7184000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7181000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7181000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7172000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7172000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 716f000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 716f000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7193000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 718d000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7190000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 7196000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 7199000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 7199000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 719f000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 719c000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7187000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 718a000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 71a2000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 71ab000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 71a5000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 71a8000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 716f000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 7169000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[5848] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 716c000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 717e000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 717e000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7175000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7175000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7178000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7178000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 717b000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 717b000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7184000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7184000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7181000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7181000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7172000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7172000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 716f000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 716f000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7193000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 718d000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7190000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 7196000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 7199000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 7199000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 719f000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 719c000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7187000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 718a000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 71a2000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 71ab000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 71a5000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 71a8000a .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Users\dkoloszc\AppData\Local\Akamai\netsession_win.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes [89, 71] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes [80, 71] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes [83, 71] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes [86, 71] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes [8F, 71] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes [8C, 71] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes [7D, 71] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe[5920] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes [7A, 71] .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\System32\StikyNot.exe[5944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 9000027 .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes [89, 71] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes [80, 71] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes [83, 71] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes [86, 71] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes [8F, 71] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes [8C, 71] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes [7D, 71] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes [FF, 25, 1E] .text C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe[6100] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes [7A, 71] .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefd913030 6 bytes {JMP QWORD [RIP+0x11ad000]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd9145c1 5 bytes {JMP QWORD [RIP+0x114ba70]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\system32\WS2_32.dll!listen 000007fefd918290 6 bytes {JMP QWORD [RIP+0x1187da0]} .text C:\Windows\system32\wbem\unsecapp.exe[6128] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd93e0f0 6 bytes {JMP QWORD [RIP+0x1141f40]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 7169000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 7172000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 716c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 716f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006d3811a8 2 bytes [38, 6D] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006d3813a8 2 bytes [38, 6D] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006d381422 2 bytes [38, 6D] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5868] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006d381498 2 bytes [38, 6D] .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 15] .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefd913030 6 bytes {JMP QWORD [RIP+0x1a6d000]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd9145c1 5 bytes {JMP QWORD [RIP+0x167ba70]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\system32\WS2_32.dll!listen 000007fefd918290 6 bytes {JMP QWORD [RIP+0x16b7da0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5780] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd93e0f0 6 bytes {JMP QWORD [RIP+0x1671f40]} .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes [89, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes [80, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes [83, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes [86, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes [8F, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes [8C, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes [7D, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[5564] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes [7A, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 7184000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 7184000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 717b000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 717b000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 717e000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 717e000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7181000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7181000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 718a000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 718a000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7187000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7187000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7178000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7178000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 7175000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 7175000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7199000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7196000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 719c000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 719f000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 719f000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[6160] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7178000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7178000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 7175000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 7175000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7199000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7196000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 719f000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 719f000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 7166000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 7172000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 7169000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[6472] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 716d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 716f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 7178000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 7172000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6864] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[6892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[6892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe[6968] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[7008] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 717e000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 717e000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7175000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7175000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7178000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7178000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 717b000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 717b000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7184000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7184000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7181000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7181000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7172000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7172000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 716f000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 716f000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7193000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 718d000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7190000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 7196000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 7199000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 7199000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 719f000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 719c000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 718a000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[7152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[7564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 7169000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 7172000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 716c000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 716f000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[7932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[7732] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7175000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7175000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7178000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7178000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7172000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7172000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 716f000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 716f000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7193000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 718d000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 7196000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 7199000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 7199000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 719f000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\WS2_32.dll!connect 0000000075046bdd 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\WS2_32.dll!listen 000000007504b001 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncV1\CoreSync.exe[8124] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 71a8000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 7184000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 7184000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 717b000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 717b000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 717e000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 717e000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7181000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7181000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 718a000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 718a000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 7187000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 7187000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 7178000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 7178000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 7175000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 7175000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 7199000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7193000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 7196000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 719c000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 719f000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 719f000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71a5000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a2000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 718d000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7190000a .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[8464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[8464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[8540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[8540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[8572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[8572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe[8644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe[8644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\ws2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 716f000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\ws2_32.dll!connect 0000000075046bdd 6 bytes JMP 7178000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\ws2_32.dll!listen 000000007504b001 6 bytes JMP 7172000a .text C:\Windows\CCM\SCNotification.exe[8940] C:\Windows\syswow64\ws2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[2560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\ws2_32.dll!WSALookupServiceBeginW 000000007504575a 6 bytes JMP 716f000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\ws2_32.dll!connect 0000000075046bdd 6 bytes JMP 7178000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\ws2_32.dll!listen 000000007504b001 6 bytes JMP 7172000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\ws2_32.dll!WSAConnect 000000007504cc3f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXE[8408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff2c55c8 6 bytes {JMP QWORD [RIP+0xfaa68]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff2db85c 6 bytes {JMP QWORD [RIP+0xc47d4]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\ws2_32.dll!WSALookupServiceBeginW 000007fefd913030 6 bytes {JMP QWORD [RIP+0x11ad000]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd9145c1 5 bytes {JMP QWORD [RIP+0x114ba70]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\ws2_32.dll!listen 000007fefd918290 6 bytes {JMP QWORD [RIP+0x1187da0]} .text C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe[6080] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd93e0f0 6 bytes {JMP QWORD [RIP+0x1141f40]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\system32\conhost.exe[5208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075c81465 2 bytes [C8, 75] .text C:\Users\dkoloszc\Desktop\OTL.exe[6108] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000075c814bb 2 bytes [C8, 75] .text ... * 2 .text C:\Windows\splwow64.exe[8980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\splwow64.exe[8980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\splwow64.exe[8980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\splwow64.exe[8980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\splwow64.exe[8980] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\splwow64.exe[8980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\splwow64.exe[8980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 79000026 .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaab7b34 6 bytes {JMP QWORD [RIP+0x884fc]} .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaac03c0 6 bytes JMP 1ae40000 .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefd913030 6 bytes {JMP QWORD [RIP+0x11ad000]} .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd9145c1 5 bytes {JMP QWORD [RIP+0x114ba70]} .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\WS2_32.dll!listen 000007fefd918290 6 bytes {JMP QWORD [RIP+0x1187da0]} .text C:\Windows\splwow64.exe[8980] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd93e0f0 6 bytes {JMP QWORD [RIP+0x1141f40]} .text C:\Windows\notepad.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\notepad.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\notepad.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\notepad.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\notepad.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\notepad.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\notepad.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\notepad.exe[2936] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\notepad.exe[2936] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes [B5, 6F, 06] .text C:\Windows\notepad.exe[2936] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaab7b34 6 bytes {JMP QWORD [RIP+0x884fc]} .text C:\Windows\notepad.exe[2936] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaac03c0 6 bytes {JMP QWORD [RIP+0x9fc70]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077491510 6 bytes {JMP QWORD [RIP+0x8caeb20]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8d0eb10]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8ceea50]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8cce830]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8c6e780]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8c8e1f0]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8d2d850]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007723db80 6 bytes {JMP QWORD [RIP+0x8fa24b0]} .text C:\Windows\system32\PrintIsolationHost.exe[5360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd539055 3 bytes CALL 9000027 .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007763fc20 3 bytes JMP 718a000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007763fc24 2 bytes JMP 718a000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007763fc38 3 bytes JMP 7181000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007763fc3c 2 bytes JMP 7181000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007763fd64 3 bytes JMP 7184000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007763fd68 2 bytes JMP 7184000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776400b4 3 bytes JMP 7187000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776400b8 2 bytes JMP 7187000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776401c4 3 bytes JMP 7190000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000776401c8 2 bytes JMP 7190000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077640a44 3 bytes JMP 718d000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077640a48 2 bytes JMP 718d000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077641920 3 bytes JMP 717e000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077641924 2 bytes JMP 717e000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077013bbb 3 bytes JMP 717b000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077013bbf 2 bytes JMP 717b000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076b22c9e 4 bytes CALL 71af0000 .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075099679 6 bytes JMP 719f000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000750a12a5 6 bytes JMP 7199000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000750a3baa 6 bytes JMP 719c000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000750a612e 6 bytes JMP 71a2000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!SendInput 00000000750bff4a 3 bytes JMP 71a5000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000750bff4e 2 bytes JMP 71a5000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!mouse_event 00000000750f027b 6 bytes JMP 71ab000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\USER32.dll!keybd_event 00000000750f02bf 6 bytes JMP 71a8000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075bb70c4 6 bytes JMP 7193000a .text C:\Users\dkoloszc\Desktop\y8269lrj.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075bd3264 6 bytes JMP 7196000a ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\fcf8ae5f5c93 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\fcf8ae5f5c93 (not active ControlSet) ---- EOF - GMER 2.1 ----