GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-09 13:46:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298.09GB Running: gmer.exe; Driver: C:\Users\Eddy\AppData\Local\Temp\kgldapob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800037b7000 65 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 626 fffff800037b7042 4 bytes [00, 00, 00, 00] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000193e00 7 bytes [00, A3, F3, FF, 01, AF, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000193e08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc13c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc15c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc13c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc15c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\services.exe[616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\services.exe[616] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd706bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076c76ef0 6 bytes {JMP QWORD [RIP+0x9729140]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076c78184 6 bytes {JMP QWORD [RIP+0x9807eac]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetParent 0000000076c78530 6 bytes {JMP QWORD [RIP+0x9747b00]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostMessageA 0000000076c7a404 6 bytes {JMP QWORD [RIP+0x94e5c2c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!EnableWindow 0000000076c7aaa0 6 bytes {JMP QWORD [RIP+0x9845590]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!MoveWindow 0000000076c7aad0 6 bytes {JMP QWORD [RIP+0x9765560]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076c7c720 6 bytes {JMP QWORD [RIP+0x9703910]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076c7cd50 6 bytes {JMP QWORD [RIP+0x97e32e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076c7d2b0 6 bytes {JMP QWORD [RIP+0x9522d80]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageA 0000000076c7d338 6 bytes {JMP QWORD [RIP+0x9562cf8]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076c7dc40 6 bytes {JMP QWORD [RIP+0x96423f0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076c7f510 6 bytes {JMP QWORD [RIP+0x9820b20]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076c7f874 6 bytes {JMP QWORD [RIP+0x94a07bc]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076c7fac0 6 bytes {JMP QWORD [RIP+0x95c0570]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076c80b74 6 bytes {JMP QWORD [RIP+0x953f4bc]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076c84d4d 5 bytes {JMP QWORD [RIP+0x94bb2e4]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetKeyState 0000000076c85010 6 bytes {JMP QWORD [RIP+0x96db020]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076c85438 6 bytes {JMP QWORD [RIP+0x95fabf8]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageW 0000000076c86b50 6 bytes {JMP QWORD [RIP+0x95794e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostMessageW 0000000076c876e4 6 bytes {JMP QWORD [RIP+0x94f894c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076c8dd90 6 bytes {JMP QWORD [RIP+0x96722a0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076c8e874 6 bytes {JMP QWORD [RIP+0x97b17bc]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076c8f780 6 bytes {JMP QWORD [RIP+0x97708b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076c928e4 6 bytes {JMP QWORD [RIP+0x960d74c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!mouse_event 0000000076c93894 6 bytes {JMP QWORD [RIP+0x944c79c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076c98a10 6 bytes {JMP QWORD [RIP+0x96a7620]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076c98be0 6 bytes {JMP QWORD [RIP+0x9587450]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c98c20 6 bytes {JMP QWORD [RIP+0x9467410]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendInput 0000000076c98cd0 6 bytes {JMP QWORD [RIP+0x9687360]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!BlockInput 0000000076c9ad60 6 bytes {JMP QWORD [RIP+0x97852d0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076cc14e0 6 bytes {JMP QWORD [RIP+0x981eb50]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!keybd_event 0000000076ce45a4 6 bytes {JMP QWORD [RIP+0x93dba8c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076cecc08 6 bytes {JMP QWORD [RIP+0x95f3428]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076cedf18 6 bytes {JMP QWORD [RIP+0x9572118]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes JMP 720065 .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsm.exe[640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd706bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[820] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes JMP 80052650 .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe[840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd706bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 0 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes JMP 40404064 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes JMP 490069 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes JMP f0f0f0f .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes JMP 87883 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0E] .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes JMP 0 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076c76ef0 6 bytes JMP ccccccc3 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076c78184 6 bytes JMP ffffffff .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SetParent 0000000076c78530 6 bytes {JMP QWORD [RIP+0x9747b00]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!PostMessageA 0000000076c7a404 6 bytes {JMP QWORD [RIP+0x94e5c2c]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!EnableWindow 0000000076c7aaa0 6 bytes {JMP QWORD [RIP+0x9845590]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!MoveWindow 0000000076c7aad0 6 bytes JMP e7d3ca8b .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076c7c720 6 bytes {JMP QWORD [RIP+0x9703910]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076c7cd50 6 bytes {JMP QWORD [RIP+0x97e32e0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076c7d2b0 6 bytes {JMP QWORD [RIP+0x9522d80]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendMessageA 0000000076c7d338 6 bytes {JMP QWORD [RIP+0x9562cf8]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076c7dc40 6 bytes {JMP QWORD [RIP+0x96423f0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076c7f510 6 bytes {JMP QWORD [RIP+0x9820b20]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076c7f874 6 bytes {JMP QWORD [RIP+0x94a07bc]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076c7fac0 6 bytes {JMP QWORD [RIP+0x95c0570]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076c80b74 6 bytes {JMP QWORD [RIP+0x953f4bc]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076c84d4d 5 bytes {JMP QWORD [RIP+0x94bb2e4]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!GetKeyState 0000000076c85010 6 bytes {JMP QWORD [RIP+0x96db020]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076c85438 6 bytes {JMP QWORD [RIP+0x95fabf8]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendMessageW 0000000076c86b50 6 bytes {JMP QWORD [RIP+0x95794e0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!PostMessageW 0000000076c876e4 6 bytes {JMP QWORD [RIP+0x94f894c]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076c8dd90 6 bytes {JMP QWORD [RIP+0x96722a0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076c8e874 6 bytes {JMP QWORD [RIP+0x97b17bc]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076c8f780 6 bytes {JMP QWORD [RIP+0x97708b0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076c928e4 6 bytes JMP cccc000c .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!mouse_event 0000000076c93894 6 bytes JMP 20 .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076c98a10 6 bytes {JMP QWORD [RIP+0x96a7620]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076c98be0 6 bytes {JMP QWORD [RIP+0x9587450]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c98c20 6 bytes {JMP QWORD [RIP+0x9467410]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendInput 0000000076c98cd0 6 bytes {JMP QWORD [RIP+0x9687360]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!BlockInput 0000000076c9ad60 6 bytes {JMP QWORD [RIP+0x97852d0]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076cc14e0 6 bytes {JMP QWORD [RIP+0x981eb50]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!keybd_event 0000000076ce45a4 6 bytes {JMP QWORD [RIP+0x93dba8c]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076cecc08 6 bytes {JMP QWORD [RIP+0x95f3428]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076cedf18 6 bytes {JMP QWORD [RIP+0x9572118]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[484] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes JMP 4a004a .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes JMP 8bde020 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes JMP 320031 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes JMP c9201 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes JMP a4414f1 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes JMP a .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes JMP 8ff1668 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes JMP a17a4c9 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes JMP 9c6c6a0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes JMP c019269 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes JMP 77e7059 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes JMP 9dafff0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes JMP 89fae29 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes JMP 9382e68 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes JMP 88fec71 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes JMP eee0eee0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes JMP 97b40b8 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes JMP 8a05531 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes JMP 76ae80 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes JMP a5ad7d8 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes JMP 7250202c .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes JMP 2d0033 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd706bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes JMP 720065 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes JMP 1000100 .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes JMP 238 .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\AUDIODG.EXE[1232] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes JMP 1000100 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes JMP 9b9 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes JMP 300030 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes JMP 1d .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd706bd0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes JMP 2001e .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP aab .text C:\Program Files\Bonjour\mDNSResponder.exe[1700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1824] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe[1928] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 7109000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 7109000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 0A] .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0E] .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP aab .text C:\Windows\system32\spool\DRIVERS\x64\3\lxeeserv.exe[1360] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lxeecoms.exe[1480] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70df000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70df000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7175000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 7142000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 70fd000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 713c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7136000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 714e000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 7103000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 7103000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7148000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 711b000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7112000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7112000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 70fa000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 710f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 710f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 714b000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7145000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 713f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7100000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 7151000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 712a000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7130000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7139000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 7154000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 710c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 710c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7127000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 7124000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7118000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 711e000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 711e000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7121000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7121000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7106000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 70f7000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7157000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 715a000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 7133000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 712d000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7109000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7109000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7115000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7115000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7169000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7166000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 7172000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 715d000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 7163000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 716c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 716f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 7160000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7178000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 9 .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 37002d .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes JMP 720065 .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskeng.exe[2148] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes JMP 773d85b1 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes JMP 720065 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Windows\Explorer.EXE[2244] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2452] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70fc000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70fc000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70e7000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70e7000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70ed000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70ed000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e4000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e4000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f0000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f0000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 7108000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 7108000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7105000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7105000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ea000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 00000000cb84ca0d .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70d8000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70d8000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710b000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710b000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70f9000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70f9000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e1000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e1000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70db000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70db000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70f6000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70f6000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70de000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70de000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f3000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f3000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7102000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7102000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70ff000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 70ff000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7114000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711a000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711a000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7132000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7129000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7129000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7111000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 7126000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 7126000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7117000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7141000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7147000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7123000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7123000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 713e000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713b000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 712f000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7135000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7135000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7138000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7138000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 711d000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 710e000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7144000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7120000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7120000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 712c000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 712c000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Windows\PLFSetI.exe[2536] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe[2544] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe[2560] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Windows\System32\igfxtray.exe[2632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Windows\System32\igfxpers.exe[2700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2712] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe[2728] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2752] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Lexmark Pro700 Series\lxeemon.exe[2760] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70f5000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70f5000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70e0000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70e0000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70e6000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70e6000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70dd000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70dd000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70e9000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70e9000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 7101000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000076f6ffe9 1 byte [71] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 70fe000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 70fe000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70e3000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70e3000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70d1000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70d1000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 7104000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 7104000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70f2000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70f2000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70da000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70da000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70d4000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70d4000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70ef000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70ef000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70d7000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70d7000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70ec000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70ec000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 70fb000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 70fb000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70f8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 70f8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 710d000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 7113000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 7113000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 712b000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7122000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7122000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 710a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 711f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 711f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7110000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 713a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 711c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 711c000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7137000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 7134000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7128000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 712e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 712e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7131000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7131000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7116000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7107000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7119000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7119000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7125000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7125000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2800] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP aab .text C:\Windows\system32\igfxsrvc.exe[2864] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 7109000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 7109000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70db000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70db000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 00000000cb84e6e5 .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Lexmark Pro700 Series\ezprint.exe[2904] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2072] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710a000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710a000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7107000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7107000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70da000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70da000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710d000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710d000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7104000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7104000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7101000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 5 0000000076f71d71 1 byte [71] .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7116000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711c000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711c000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7134000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712b000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712b000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7113000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 7128000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 7128000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7119000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7143000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7149000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7125000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7125000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7140000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713d000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7131000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7137000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7137000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713a000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713a000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 711f000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7110000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7146000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7122000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7122000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 712e000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 712e000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe[2308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes JMP f0 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes JMP a7c98 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2596] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70df000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70df000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7175000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 7142000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 70fd000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 713c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7136000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 714e000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 7103000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 7103000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7148000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 711b000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7112000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7112000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 70fa000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 710f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 710f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 714b000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7145000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 713f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7100000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 7151000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 712a000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7130000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7139000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 7154000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 710c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 710c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7127000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 7124000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7118000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 711e000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 711e000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7121000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7121000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7106000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 70f7000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7157000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 715a000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 7133000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 712d000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7109000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7109000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7115000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7115000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7169000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7166000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 7172000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 715d000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 7163000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 716c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 716f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 7160000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[3296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7178000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 7172000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0E] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3708] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 7172000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0xe9db70]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0xeba450]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0xef4648]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3912] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0xecac20]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\wbem\unsecapp.exe[3196] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\SearchIndexer.exe[3812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\wbem\wmiprvse.exe[420] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xe7dd64]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x11adb70]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x11ca450]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xe37c98]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0xe17668]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xe56cec]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x1204648]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe[4796] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x11dac20]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP aab .text C:\Windows\system32\igfxext.exe[4748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[4892] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP aab .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4632] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd5cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[4916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[480] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes JMP aab .text C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe[4268] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93ae0 6 bytes {JMP QWORD [RIP+0x92ac550]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc1400 6 bytes {JMP QWORD [RIP+0x925ec30]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc15d0 6 bytes {JMP QWORD [RIP+0x97dea60]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc1640 6 bytes {JMP QWORD [RIP+0x98be9f0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1680 6 bytes {JMP QWORD [RIP+0x987e9b0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc1720 6 bytes {JMP QWORD [RIP+0x98de910]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc17b0 6 bytes {JMP QWORD [RIP+0x985e880]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc17f0 6 bytes {JMP QWORD [RIP+0x975e840]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc1840 6 bytes {JMP QWORD [RIP+0x977e7f0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1860 6 bytes {JMP QWORD [RIP+0x989e7d0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc1a50 6 bytes {JMP QWORD [RIP+0x995e5e0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b60 6 bytes {JMP QWORD [RIP+0x973e4d0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1c30 6 bytes {JMP QWORD [RIP+0x97fe400]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d80 6 bytes {JMP QWORD [RIP+0x98fe2b0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d90 6 bytes {JMP QWORD [RIP+0x993e2a0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc2100 6 bytes {JMP QWORD [RIP+0x981df30]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2190 6 bytes {JMP QWORD [RIP+0x991dea0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc2a00 6 bytes {JMP QWORD [RIP+0x983d630]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a80 6 bytes {JMP QWORD [RIP+0x979d5b0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2b00 6 bytes {JMP QWORD [RIP+0x97bd530]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076b5a420 6 bytes {JMP QWORD [RIP+0x9545c10]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b71b50 6 bytes {JMP QWORD [RIP+0x94ee4e0]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076be8810 6 bytes {JMP QWORD [RIP+0x9497820]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcc59aa5 3 bytes [65, 65, 06] .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc65290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb522cc 6 bytes JMP 0 .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb524c0 6 bytes JMP 0 .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb55be0 6 bytes JMP 0 .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb58398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb589c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb59344 6 bytes JMP 90000018 .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb5b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\iPod\bin\iPodService.exe[3908] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb65410 6 bytes JMP 0 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!KiUserApcDispatcher 0000000076f60028 5 bytes JMP 0000000100314620 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes [EC, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70de000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70de000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 7102000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 7102000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70db000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70db000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 7105000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 7105000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 00000000cb84cfed .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes [D1, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes [E6, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes [CE, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes [E3, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes [FB, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes [F8, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes [1D, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes [2C, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes {JMP QWORD [RIP+0x710a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes [29, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes [26, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes [38, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes [3B, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes [23, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes [2F, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 00000000766e4296 5 bytes JMP 0000000170bd0022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[3892] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000766f7673 5 bytes JMP 0000000170c50022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!KiUserApcDispatcher 0000000076f60028 5 bytes JMP 000000010119ca70 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes [EC, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70de000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70de000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes [D4, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 7102000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 7102000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70db000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70db000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 7105000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 7105000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 00000000cb84cfed .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes [D1, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes [E6, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes [CE, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes [E3, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes [FB, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes [F8, 70] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes [1D, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes [2C, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes {JMP QWORD [RIP+0x710a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes [29, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes [26, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes [38, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes [3B, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes [23, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes [2F, 71] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 00000000766e4296 5 bytes JMP 0000000170ba0022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[1888] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000766f7673 5 bytes JMP 0000000170be0022 .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9c0 3 bytes JMP 71af000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9c4 2 bytes JMP 71af000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fc90 3 bytes JMP 7100000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fc94 2 bytes JMP 7100000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd44 3 bytes JMP 70eb000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd48 2 bytes JMP 70eb000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fda8 3 bytes JMP 70f1000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdac 2 bytes JMP 70f1000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fea0 3 bytes JMP 70e8000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fea4 2 bytes JMP 70e8000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ff84 3 bytes JMP 70f4000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ff88 2 bytes JMP 70f4000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f6ffe4 3 bytes JMP 710c000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f6ffe8 2 bytes JMP 710c000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70064 3 bytes JMP 7109000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70068 2 bytes JMP 7109000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f70094 3 bytes JMP 70ee000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f70098 2 bytes JMP 70ee000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f70398 3 bytes JMP 70dc000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f7039c 2 bytes JMP 70dc000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70530 3 bytes JMP 710f000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70534 2 bytes JMP 710f000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70674 3 bytes JMP 70fd000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70678 2 bytes JMP 70fd000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7086c 3 bytes JMP 70e5000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70870 2 bytes JMP 70e5000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f70884 3 bytes JMP 70df000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f70888 2 bytes JMP 70df000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70dd4 3 bytes JMP 70fa000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70dd8 2 bytes JMP 70fa000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70eb8 3 bytes JMP 70e2000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70ebc 2 bytes JMP 70e2000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71bc4 3 bytes JMP 70f7000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71bc8 2 bytes JMP 70f7000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71c94 3 bytes JMP 7106000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71c98 2 bytes JMP 7106000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d6c 3 bytes JMP 7103000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d70 2 bytes JMP 7103000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91217 6 bytes JMP 71a8000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074a2103d 6 bytes JMP 719c000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074a21072 6 bytes JMP 7199000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074a4c9b5 6 bytes JMP 7190000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007537f776 6 bytes JMP 719f000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075382c91 4 bytes CALL 71ac0000 .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000761d8bff 6 bytes JMP 715d000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761d90d3 6 bytes JMP 7118000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000761d9679 6 bytes JMP 7157000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761d97d2 6 bytes JMP 7151000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000761dee09 6 bytes JMP 7169000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000761defc9 3 bytes JMP 711e000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000761defcd 2 bytes JMP 711e000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761e12a5 6 bytes JMP 7163000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761e291f 6 bytes JMP 7136000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SetParent 00000000761e2d64 3 bytes JMP 712d000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000761e2d68 2 bytes JMP 712d000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761e2da4 6 bytes JMP 7115000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761e3698 3 bytes JMP 712a000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761e369c 2 bytes JMP 712a000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761e3baa 6 bytes JMP 7166000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761e3c61 6 bytes JMP 7160000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761e612e 6 bytes JMP 715a000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761e6c30 6 bytes JMP 711b000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761e7603 6 bytes JMP 716c000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761e7668 6 bytes JMP 7145000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761e76e0 6 bytes JMP 714b000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761e781f 6 bytes JMP 7154000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761e835c 6 bytes JMP 716f000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ec4b6 3 bytes JMP 7127000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ec4ba 2 bytes JMP 7127000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761fc112 6 bytes JMP 7142000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761fd0f5 6 bytes JMP 713f000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761feb96 6 bytes JMP 7133000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761fec68 3 bytes JMP 7139000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761fec6c 2 bytes JMP 7139000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput 00000000761fff4a 3 bytes JMP 713c000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761fff4e 2 bytes JMP 713c000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076219f1d 6 bytes JMP 7121000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076221497 6 bytes JMP 7112000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!mouse_event 000000007623027b 6 bytes JMP 7172000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762302bf 6 bytes JMP 7175000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076236cfc 6 bytes JMP 714e000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076236d5d 6 bytes JMP 7148000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076237dd7 3 bytes JMP 7124000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076237ddb 2 bytes JMP 7124000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762388eb 3 bytes JMP 7130000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762388ef 2 bytes JMP 7130000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750a58b3 6 bytes JMP 7184000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000750a5ea6 6 bytes JMP 7181000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750a7bcc 6 bytes JMP 718d000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000750ab895 6 bytes JMP 7178000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000750ac332 6 bytes JMP 717e000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000750acbfb 6 bytes JMP 7187000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750ae743 6 bytes JMP 718a000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000750d4646 6 bytes JMP 717b000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076992538 6 bytes JMP 7196000a .text C:\Users\Eddy\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[1560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769952e9 6 bytes JMP 7193000a ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3472:4644] 000007fefb422a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{7A5055BE-BB25-4526-9FCC-D30E12B9ECDF}\Connection@Name isatap.{C269C80A-DD91-456C-892C-4E62B6EF49FA} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{1700CFE2-377F-46E4-B749-619E5C0BE1EB}?\Device\{7A5055BE-BB25-4526-9FCC-D30E12B9ECDF}?\Device\{99E1ECF9-9DBB-46DD-A402-BD881398AA0D}?\Device\{F46D2E4D-EE30-4739-AC64-084241D83D53}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{1700CFE2-377F-46E4-B749-619E5C0BE1EB}"?"{7A5055BE-BB25-4526-9FCC-D30E12B9ECDF}"?"{99E1ECF9-9DBB-46DD-A402-BD881398AA0D}"?"{F46D2E4D-EE30-4739-AC64-084241D83D53}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{1700CFE2-377F-46E4-B749-619E5C0BE1EB}?\Device\TCPIP6TUNNEL_{7A5055BE-BB25-4526-9FCC-D30E12B9ECDF}?\Device\TCPIP6TUNNEL_{99E1ECF9-9DBB-46DD-A402-BD881398AA0D}?\Device\TCPIP6TUNNEL_{F46D2E4D-EE30-4739-AC64-084241D83D53}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{7A5055BE-BB25-4526-9FCC-D30E12B9ECDF}@InterfaceName isatap.{C269C80A-DD91-456C-892C-4E62B6EF49FA} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{7A5055BE-BB25-4526-9FCC-D30E12B9ECDF}@ReusableType 0 ---- EOF - GMER 2.1 ----