GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-10 08:37:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-00RKKA0 rev.80.00A80 931,51GB Running: xsvcctid.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\axlyykod.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007704bde0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007704bfe0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007704bde0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007704bfe0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd4f2930 5 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076def804 9 bytes JMP 000000006fff03b0 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076df4ccc 5 bytes JMP 000000006fff03e8 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076e08bd0 12 bytes JMP 000000006fff0378 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc940308 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc940228 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd4f2930 5 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc940308 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[928] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd4f2930 5 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc940308 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007704beb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 000000007704c282 6 bytes {JMP 0xfffffffff8fa3e90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[552] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\System32\svchost.exe[764] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd4f2930 5 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc940308 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\System32\spoolsv.exe[1468] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd4f2930 5 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc940308 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 70310000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000007281c3f0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\IProsetMonitor.exe[1736] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 6e290000 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1776] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\taskhost.exe[2008] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\taskeng.exe[1480] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\Dwm.exe[2100] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\Explorer.EXE[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076def804 9 bytes JMP 000000006fff03b0 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076df4ccc 5 bytes JMP 000000006fff03e8 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076e08bd0 12 bytes JMP 000000006fff0378 .text C:\Windows\Explorer.EXE[2164] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 6f070000 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000001000a4d0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765e9cfe 5 bytes JMP 000000001000a630 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000006f86451e 5 bytes JMP 000000001000ab40 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 000000006f864b6d 5 bytes JMP 000000001000abb0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 000000006f864bf2 5 bytes JMP 000000001000ac90 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 000000006f864f0f 5 bytes JMP 000000001000ac50 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 000000006f864f7b 5 bytes JMP 000000001000ac10 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 000000006f869054 5 bytes JMP 000000001000ad10 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000006f86adf9 5 bytes JMP 000000001000abe0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 000000006f8852e8 5 bytes JMP 000000001000acd0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000006f88535f 5 bytes JMP 000000001000acf0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInClose 000000006f8859cc 5 bytes JMP 000000001000ae40 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 000000006f885a6a 5 bytes JMP 000000001000aec0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 000000006f885ad7 5 bytes JMP 000000001000af00 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 000000006f885b5b 5 bytes JMP 000000001000af40 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInStart 000000006f885bba 5 bytes JMP 000000001000af80 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInStop 000000006f885bee 5 bytes JMP 000000001000b000 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInReset 000000006f885c22 5 bytes JMP 000000001000b060 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 000000006f885c67 5 bytes JMP 000000001000b0d0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000073b97e3d 5 bytes JMP 000000001000a690 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 0000000073bcde69 5 bytes JMP 000000001000a770 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 0000000073bdd2c5 5 bytes JMP 000000001000a8a0 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 0000000073bdd371 5 bytes JMP 000000001000a990 .text C:\Windows\SysWOW64\HsMgr.exe[2532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 0000000073bdd429 5 bytes JMP 000000001000aa80 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076ee2b60 13 bytes JMP 000000006fff0260 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ef1870 5 bytes JMP 000000006fff0180 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076efdd20 5 bytes JMP 000000006fff0148 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076f6f6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076f6f710 5 bytes JMP 000000006fff02d0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076f6f7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076f6f8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076f6f910 10 bytes JMP 000000006fff0228 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076f6f940 10 bytes JMP 000000006fff01b8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076f75730 5 bytes JMP 000000006fff0298 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutClose 000007fefb9436ac 5 bytes JMP 000007fefefc01f0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader 000007fefb943770 5 bytes JMP 000007fefefc0298 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutOpen 000007fefb9438d0 5 bytes JMP 000007fefefc01b8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader 000007fefb943ca4 5 bytes JMP 000007fefefc0260 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutWrite 000007fefb943d40 5 bytes JMP 000007fefefc0228 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInOpen 000007fefb947fe0 7 bytes JMP 000007fefefc0378 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefb94a38c 5 bytes JMP 000007fefefc02d0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutGetVolume 000007fefb9649f0 5 bytes JMP 000007fefefc0308 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveOutSetVolume 000007fefb964ab0 5 bytes JMP 000007fefefc0340 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInClose 000007fefb9652e0 5 bytes JMP 000007fefefc03b0 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInPrepareHeader 000007fefb9653c0 5 bytes JMP 000007fefefc0490 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInUnprepareHeader 000007fefb965454 5 bytes JMP 000007fefefc04c8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInAddBuffer 000007fefb965514 5 bytes JMP 000007fefefc0500 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInStart 000007fefb9655a4 6 bytes JMP 000007fefefc03e8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInStop 000007fefb9655e4 6 bytes JMP 000007fefefc0420 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInReset 000007fefb965624 5 bytes JMP 000007fefefc0458 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\WINMM.dll!waveInGetPosition 000007fefb96567c 5 bytes JMP 000007fefefc0538 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\DSOUND.dll!DirectSoundCreate8 000007fef8f76944 7 bytes JMP 000007fefefc0180 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\DSOUND.dll!DirectSoundCreate 000007fef8f95a84 7 bytes JMP 000007fefefc0148 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate 000007fef8f95b90 7 bytes JMP 000007fefefc0570 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate8 000007fef8f95c94 7 bytes JMP 000007fefefc05a8 .text C:\Windows\system\HsMgr64.exe[2540] C:\Windows\system32\DSOUND.dll!DirectSoundFullDuplexCreate 000007fef8f95da8 5 bytes JMP 000007fefefc05e0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 70a20000 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text C:\Program Files\UNi Xonar Audio\Customapp\ASUSAUDIOCENTER.EXE[2564] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000007281c3f0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 6e9a0000 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000001000a4d0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765e9cfe 5 bytes JMP 000000001000a630 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000073b97e3d 5 bytes JMP 000000001000a690 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 0000000073bcde69 5 bytes JMP 000000001000a770 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 0000000073bdd2c5 5 bytes JMP 000000001000a8a0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 0000000073bdd371 5 bytes JMP 000000001000a990 .text F:\Program Files (x86)\CopyQ\copyq.exe[2704] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 0000000073bdd429 5 bytes JMP 000000001000aa80 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text F:\Program Files (x86)\Volume2\Volume2.exe[2728] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 6e940000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000001000a4d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765e9cfe 5 bytes JMP 000000001000a630 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000006f86451e 5 bytes JMP 000000001000ab40 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 000000006f864b6d 5 bytes JMP 000000001000abb0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 000000006f864bf2 5 bytes JMP 000000001000ac90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 000000006f864f0f 5 bytes JMP 000000001000ac50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 000000006f864f7b 5 bytes JMP 000000001000ac10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 000000006f869054 5 bytes JMP 000000001000ad10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000006f86adf9 5 bytes JMP 000000001000abe0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 000000006f8852e8 5 bytes JMP 000000001000acd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000006f88535f 5 bytes JMP 000000001000acf0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInClose 000000006f8859cc 5 bytes JMP 000000001000ae40 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 000000006f885a6a 5 bytes JMP 000000001000aec0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 000000006f885ad7 5 bytes JMP 000000001000af00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 000000006f885b5b 5 bytes JMP 000000001000af40 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInStart 000000006f885bba 5 bytes JMP 000000001000af80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInStop 000000006f885bee 5 bytes JMP 000000001000b000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInReset 000000006f885c22 5 bytes JMP 000000001000b060 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 000000006f885c67 5 bytes JMP 000000001000b0d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000073b97e3d 5 bytes JMP 000000001000a690 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 0000000073bcde69 5 bytes JMP 000000001000a770 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 0000000073bdd2c5 5 bytes JMP 000000001000a8a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 0000000073bdd371 5 bytes JMP 000000001000a990 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2736] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 0000000073bdd429 5 bytes JMP 000000001000aa80 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 711e0000 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000001000a4d0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765e9cfe 5 bytes JMP 000000001000a630 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000073b97e3d 5 bytes JMP 000000001000a690 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 0000000073bcde69 5 bytes JMP 000000001000a770 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 0000000073bdd2c5 5 bytes JMP 000000001000a8a0 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 0000000073bdd371 5 bytes JMP 000000001000a990 .text F:\Program Files (x86)\CopyQ\copyq.exe[2772] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 0000000073bdd429 5 bytes JMP 000000001000aa80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 70aa0000 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000001000a4d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765e9cfe 5 bytes JMP 000000001000a630 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000073b97e3d 5 bytes JMP 000000001000a690 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 0000000073bcde69 5 bytes JMP 000000001000a770 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 0000000073bdd2c5 5 bytes JMP 000000001000a8a0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 0000000073bdd371 5 bytes JMP 000000001000a990 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 0000000073bdd429 5 bytes JMP 000000001000aa80 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b31401 2 bytes JMP 74b7b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b31419 2 bytes JMP 74b7b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b31431 2 bytes JMP 74bf9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b3144a 2 bytes CALL 74b54885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b314dd 2 bytes JMP 74bf8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b314f5 2 bytes JMP 74bf8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b3150d 2 bytes JMP 74bf8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b31525 2 bytes JMP 74bf8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b3153d 2 bytes JMP 74b6fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b31555 2 bytes JMP 74b76907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b3156d 2 bytes JMP 74bf9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b31585 2 bytes JMP 74bf8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b3159d 2 bytes JMP 74bf88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b315b5 2 bytes JMP 74b6fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b315cd 2 bytes JMP 74b7b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b316b2 2 bytes JMP 74bf90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b316bd 2 bytes JMP 74bf8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 6d350000 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000732117fa 2 bytes CALL 74b511a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073211860 2 bytes CALL 74b511a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073211942 2 bytes JMP 75c66da1 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007321194d 2 bytes JMP 75c6e8de C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b31401 2 bytes JMP 74b7b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b31419 2 bytes JMP 74b7b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b31431 2 bytes JMP 74bf9149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b3144a 2 bytes CALL 74b54885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b314dd 2 bytes JMP 74bf8a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b314f5 2 bytes JMP 74bf8c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b3150d 2 bytes JMP 74bf8938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b31525 2 bytes JMP 74bf8d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b3153d 2 bytes JMP 74b6fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b31555 2 bytes JMP 74b76907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b3156d 2 bytes JMP 74bf9201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b31585 2 bytes JMP 74bf8d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b3159d 2 bytes JMP 74bf88fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b315b5 2 bytes JMP 74b6fd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b315cd 2 bytes JMP 74b7b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b316b2 2 bytes JMP 74bf90c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b316bd 2 bytes JMP 74bf8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[3068] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 6e5b0000 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765e9cbb 5 bytes JMP 000000007281c3f0 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b31401 2 bytes JMP 74b7b233 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b31419 2 bytes JMP 74b7b35e C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b31431 2 bytes JMP 74bf9149 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b3144a 2 bytes CALL 74b54885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b314dd 2 bytes JMP 74bf8a42 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b314f5 2 bytes JMP 74bf8c18 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b3150d 2 bytes JMP 74bf8938 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b31525 2 bytes JMP 74bf8d02 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b3153d 2 bytes JMP 74b6fcc0 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b31555 2 bytes JMP 74b76907 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b3156d 2 bytes JMP 74bf9201 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b31585 2 bytes JMP 74bf8d62 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b3159d 2 bytes JMP 74bf88fc C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b315b5 2 bytes JMP 74b6fd59 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b315cd 2 bytes JMP 74b7b2f4 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b316b2 2 bytes JMP 74bf90c4 C:\Windows\syswow64\kernel32.dll .text F:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b316bd 2 bytes JMP 74bf8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2372] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2632] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\SearchIndexer.exe[3148] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077022280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007704be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007704bef0 8 bytes JMP 000000006fff08f0 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007704bff0 8 bytes JMP 000000006fff0688 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0810 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007704c0a0 8 bytes JMP 000000006fff07a0 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007704c140 8 bytes JMP 000000006fff0848 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007704c1b0 8 bytes JMP 000000006fff04c8 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007704c1d0 8 bytes JMP 000000006fff0768 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007704c210 8 bytes JMP 000000006fff05a8 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007704c260 8 bytes JMP 000000006fff05e0 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff07d8 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007704c470 8 bytes JMP 000000006fff0960 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007704c480 8 bytes JMP 000000006fff0458 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007704c580 8 bytes JMP 000000006fff0420 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007704c650 8 bytes JMP 000000006fff06c0 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007704c690 8 bytes JMP 000000006fff0500 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007704c700 1 byte JMP 000000006fff0490 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007704c702 6 bytes {JMP 0xfffffffff8fa3d90} .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007704c730 8 bytes JMP 000000006fff0570 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007704c790 8 bytes JMP 000000006fff0538 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007704c7a0 8 bytes JMP 000000006fff0880 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007704c7b0 8 bytes JMP 000000006fff0928 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007704cb20 8 bytes JMP 000000006fff06f8 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007704cbb0 8 bytes JMP 000000006fff08b8 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007704d420 8 bytes JMP 000000006fff0730 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007704d4a0 8 bytes JMP 000000006fff0618 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007704d520 8 bytes JMP 000000006fff0650 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcfb3a50 7 bytes JMP 000007fefc940148 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8d22e0 5 bytes JMP 000007fefc9402d0 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefe8d3e20 5 bytes JMP 000007fefc940298 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8d81f4 9 bytes JMP 000007fefc9401f0 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8d8824 9 bytes JMP 000007fefc9401b8 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8d8d7c 5 bytes JMP 000007fefc940228 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefe8e52c0 5 bytes JMP 000007fefc940260 .text C:\Windows\system32\svchost.exe[3296] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff026d10 11 bytes JMP 000007fefc940180 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007704beb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007704beb0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007704c060 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007704c280 8 bytes JMP 000000006fff00d8 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000771ff9f0 5 bytes JMP 0000000072822c50 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000771ffb38 5 bytes JMP 00000000728183c0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000771ffcc0 5 bytes JMP 0000000072817970 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000771ffd74 5 bytes JMP 0000000072819180 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000771ffdd8 5 bytes JMP 0000000072818760 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000771ffed0 5 bytes JMP 000000007281ac90 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771fff84 5 bytes JMP 0000000072816be0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000771fffb4 5 bytes JMP 0000000072818970 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077200014 5 bytes JMP 0000000072817530 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077200094 5 bytes JMP 0000000072817780 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772000c4 5 bytes JMP 0000000072818d20 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772003c8 5 bytes JMP 000000007281a180 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772003e0 5 bytes JMP 000000007281ba50 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077200560 5 bytes JMP 000000007281b770 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772006a4 5 bytes JMP 0000000072817b60 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077200704 5 bytes JMP 000000007281bb60 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772007ac 5 bytes JMP 0000000072816ad0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772007f4 5 bytes JMP 000000007281bc70 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077200884 5 bytes JMP 0000000072816cf0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007720089c 5 bytes JMP 000000007281af60 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772008b4 5 bytes JMP 000000007281a6b0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077200e04 5 bytes JMP 0000000072817dd0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077200ee8 5 bytes JMP 00000000728181d0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077201bf4 5 bytes JMP 0000000072817fc0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077201cc4 5 bytes JMP 000000007281ab40 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077201d9c 5 bytes JMP 00000000728185b0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007721d2f6 7 bytes JMP 0000000072822ad0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074b63bbb 5 bytes JMP 0000000072815740 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074b69abc 5 bytes JMP 000000007280f260 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074b73b7a 7 bytes JMP 000000007280fe20 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000074b7cd11 5 bytes JMP 000000007280ef50 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000074bcddde 7 bytes JMP 000000007280f490 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000074bcde81 7 bytes JMP 000000007280f7a0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007670f8a7 5 bytes JMP 0000000072822ab0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076712e0b 4 bytes CALL 71640000 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f7ee21 5 bytes JMP 0000000072823810 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f881f5 5 bytes JMP 0000000072823140 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f88f4c 5 bytes JMP 0000000072822e80 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765258b3 5 bytes JMP 0000000072811960 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076527bcc 1 byte JMP 00000000728108d0 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076527bce 3 bytes {JMP 0xfffffffffc2e8d04} .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007652ae82 5 bytes JMP 0000000072811f00 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007652b98a 5 bytes JMP 0000000072811a30 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007652c08c 5 bytes JMP 0000000072811c70 .text C:\Users\Tomek\Desktop\xsvcctid.exe[4228] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007652e935 5 bytes JMP 0000000072810a80 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 30640 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 9062 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{1dca151e-cede-47c3-b0ac-2d02e72ae126}@Dhcpv6State 0 Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.2 ----