GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-18 01:17:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-7 WDC_WD6400AAKS-65A7B0 rev.01.03B01 596,17GB Running: v1o5t3s9.exe; Driver: C:\Users\wlodek\AppData\Local\Temp\kwrdqpog.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f8bbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f8bde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f8bbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f8bde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd3e2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076d2f864 6 bytes {JMP QWORD [RIP+0x94107cc]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076d34d3d 5 bytes {JMP QWORD [RIP+0x942b2f4]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076d48c20 6 bytes {JMP QWORD [RIP+0x93d7410]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes JMP 87f9 .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes JMP 64 .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\lsm.exe[580] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd3e2930 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd3e2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes JMP 9011bd1 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes JMP 105ac89 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes JMP 91f76c0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes JMP 923e5f8 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes JMP 91f09b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes JMP 91f87f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes JMP 10565a6 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes JMP 89c79f8 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes JMP 4d002200 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd3e2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes JMP 530020 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\SHELL32.dll!SHFileOperationW 0000000001f09050 6 bytes {JMP QWORD [RIP+0x28c6fe0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\SHELL32.dll!SHFileOperation 0000000002122fc0 6 bytes {JMP QWORD [RIP+0x266d070]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes JMP 64006e .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\servicing\TrustedInstaller.exe[1128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd3e2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\System32\svchost.exe[1584] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 7175000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 7175000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7178000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 717b000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 717e000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWow64\perfhost.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 7175000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 7175000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7178000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 717b000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 717e000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 716f000a .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[1916] C:\Windows\syswow64\shell32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 7172000a .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f8bcb0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076f8be60 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076f8c080 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\taskhost.exe[2460] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\taskeng.exe[2560] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0x106dd40]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0x1027c8c]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x100764c]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0x1046cfc]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076d2f864 6 bytes {JMP QWORD [RIP+0x94107cc]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076d34d3d 5 bytes {JMP QWORD [RIP+0x942b2f4]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076d48c20 6 bytes {JMP QWORD [RIP+0x93d7410]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe339050 5 bytes [FF, 25, E0, 6F, FE] .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe552fc0 6 bytes {JMP QWORD [RIP+0xdad070]} .text C:\Windows\Explorer.EXE[2600] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes JMP 0 .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Users\wlodek\AppData\Local\Microsoft\OneDrive\OneDrive.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 719c000a .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 719c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 719c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 716f000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 716f000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7172000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 7175000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c896c0 6 bytes JMP 717b000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e8c431 6 bytes JMP 717e000a .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes JMP e6 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes JMP ebebebeb .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\SearchIndexer.exe[3628] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes JMP 10000052 .text C:\Windows\system32\SearchProtocolHost.exe[3732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\System32\svchost.exe[3888] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f8bcb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[496] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[496] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[496] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[496] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4200] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes JMP 630000 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076f65be0 13 bytes {MOV R11, 0x7fee7c02ae0; JMP R11} .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes JMP 0 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes JMP 0 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes JMP 316e2d90 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes JMP 0 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes JMP 630000 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes JMP 9230428 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes JMP 3a7350a0 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes JMP 920a440 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076d2f864 6 bytes JMP 0 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076d34d3d 5 bytes JMP 0 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\USER32.dll!GetWindowInfo 0000000076d38b40 13 bytes {MOV R11, 0x7fee39f6640; JMP R11} .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076d48c20 6 bytes JMP 39 .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes JMP 2ede .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text D:\Program Files\Cyberfox\Cyberfox.exe[4540] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes {JMP QWORD [RIP+0xedd40]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\wuauclt.exe[4696] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f62170 6 bytes {JMP QWORD [RIP+0x90ddec0]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f8bc20 6 bytes {JMP QWORD [RIP+0x9094410]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f8c380 6 bytes {JMP QWORD [RIP+0x91f3cb0]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076e31860 6 bytes {JMP QWORD [RIP+0x92ce7d0]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e3dbf0 6 bytes {JMP QWORD [RIP+0x9222440]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076eaf6d0 6 bytes {JMP QWORD [RIP+0x91f0960]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076eaf700 6 bytes {JMP QWORD [RIP+0x9230930]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076eaf8d0 6 bytes {JMP QWORD [RIP+0x91d0760]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076eb5720 6 bytes {JMP QWORD [RIP+0x920a910]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe2722f0 6 bytes JMP 87f9 .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe2783a4 6 bytes {JMP QWORD [RIP+0xa7c8c]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe2789e4 6 bytes {JMP QWORD [RIP+0x8764c]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe279334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\AUDIODG.EXE[2800] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd56d10 6 bytes {JMP QWORD [RIP+0x209320]} .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007713f9f0 3 bytes JMP 71af000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007713f9f4 2 bytes JMP 71af000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077140560 3 bytes JMP 7175000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077140564 2 bytes JMP 7175000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007715c0f0 6 bytes JMP 71a8000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c23be3 3 bytes JMP 719f000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c23be7 2 bytes JMP 719f000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076c29ae4 6 bytes JMP 718a000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076c33baa 6 bytes JMP 7181000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076c3cd11 6 bytes JMP 718d000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076c8dda6 6 bytes JMP 7187000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076c8de49 6 bytes JMP 7184000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000074c52e0b 4 bytes CALL 71ac0000 .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee19 6 bytes JMP 7178000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7613 6 bytes JMP 717b000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d836c 6 bytes JMP 717e000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000756758b3 6 bytes JMP 7190000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075677ba4 6 bytes JMP 7199000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007567b986 6 bytes JMP 7193000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007567ea03 6 bytes JMP 7196000a .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 76c3b263 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 76c3b38e C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76cb90f1 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76c148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76cb89ea C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 76cb8bc0 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76cb88e0 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 76cb8caa C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 76c2fce8 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 76c36937 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 76cb91a9 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76cb8d0a C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76cb88a4 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 76c2fd81 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 76c3b324 C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76cb906c C:\Windows\syswow64\kernel32.dll .text D:\bezpiecz\gmer\v1o5t3s9.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76cb8839 C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d697627 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d697627@001dfd8ab413 0x87 0xEB 0xBA 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@001dfd8ab413 0x70 0x04 0x54 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@00180fdbf815 0x15 0x8D 0x7C 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@444e1aca4def 0x8B 0x77 0x0A 0xB6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d697627 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d697627@001dfd8ab413 0x87 0xEB 0xBA 0x72 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@001dfd8ab413 0x70 0x04 0x54 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@00180fdbf815 0x15 0x8D 0x7C 0x4A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@444e1aca4def 0x8B 0x77 0x0A 0xB6 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\wlodek\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- Files - GMER 2.2 ---- File C:\Users\wlodek\AppData\Local\8pecxstudios\Cyberfox\Profiles\65e2j7xn.default\thumbnails\01ee54e5f6262f8899f5ebc670fac73b.png 9490 bytes File C:\Users\wlodek\AppData\Local\8pecxstudios\Cyberfox\Profiles\65e2j7xn.default\thumbnails\c0e2b0a0824a074407dfbaecce63115b.png 7801 bytes File C:\Users\wlodek\AppData\Local\8pecxstudios\Cyberfox\Profiles\65e2j7xn.default\thumbnails\ce16eae964f4eab03173afa57d576034.png 18006 bytes File C:\Users\wlodek\AppData\Local\8pecxstudios\Cyberfox\Profiles\65e2j7xn.default\thumbnails\6d5bf5b806046e9cbdeb79f4bac735e5.png 17339 bytes File C:\Users\wlodek\AppData\Local\8pecxstudios\Cyberfox\Profiles\65e2j7xn.default\thumbnails\908b4dd137a3bc2f2b3b066eb094c295.png 25950 bytes File C:\Users\wlodek\AppData\Local\8pecxstudios\Cyberfox\Profiles\65e2j7xn.default\thumbnails\94bd1a40ee16c2e567d0851537b266f3.png 33901 bytes ---- EOF - GMER 2.2 ----