GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-03 19:33:46 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD502IJ rev.1AA01113 465,76GB Running: xj4gpv0y.exe; Driver: C:\Users\GRZEGO~1\AppData\Local\Temp\uflorfow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\wininit.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000078c27640 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000078c29554 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SetParent 0000000078c29870 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!PostMessageA 0000000078c2ca54 5 bytes JMP 000000016fff0340 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!EnableWindow 0000000078c2d0f0 9 bytes JMP 000000016fff0928 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!MoveWindow 0000000078c2d120 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000078c2f0c4 5 bytes JMP 000000016fff06f8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000078c2f690 8 bytes JMP 000000016fff0880 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000078c2fc50 5 bytes JMP 000000016fff03b0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendMessageA 0000000078c2fcd8 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000078c303f0 9 bytes JMP 000000016fff05a8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000078c31f30 7 bytes JMP 000000016fff08f0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000078c32294 9 bytes JMP 000000016fff02d0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000078c33464 10 bytes JMP 000000016fff03e8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000078c371e8 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!GetKeyState 0000000078c378c0 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000078c38e28 7 bytes JMP 000000016fff0538 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000078c38f9c 9 bytes JMP 000000016fff04c8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!PostMessageW 0000000078c392d4 7 bytes JMP 000000016fff0378 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendMessageW 0000000078c3a800 2 bytes JMP 000000016fff0458 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendMessageW + 3 0000000078c3a803 2 bytes [3B, F7] .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000078c40bf8 5 bytes JMP 000000016fff0618 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!GetClipboardData 0000000078c41584 5 bytes JMP 000000016fff0848 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000078c42360 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000078c45508 12 bytes JMP 000000016fff0570 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!mouse_event 0000000078c462c4 7 bytes JMP 000000016fff0260 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000078c491a0 8 bytes JMP 000000016fff0688 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000078c492e0 12 bytes JMP 000000016fff0490 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000078c49320 12 bytes JMP 000000016fff0298 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendInput 0000000078c493d0 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!BlockInput 0000000078c4b430 8 bytes JMP 000000016fff0810 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000078c716e0 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!EndTask 0000000078c71804 5 bytes JMP 000000016fff01f0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!keybd_event 0000000078c94474 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000078c9cc58 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000078c9dec8 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d88 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d50 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000078ea0700 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000078c27640 8 bytes JMP 000000016fff0730 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000078c29554 7 bytes JMP 000000016fff08b8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetParent 0000000078c29870 8 bytes JMP 000000016fff0768 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostMessageA 0000000078c2ca54 5 bytes JMP 000000016fff0340 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!EnableWindow 0000000078c2d0f0 9 bytes JMP 000000016fff0928 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!MoveWindow 0000000078c2d120 8 bytes JMP 000000016fff07a0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000078c2f0c4 5 bytes JMP 000000016fff06f8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000078c2f690 8 bytes JMP 000000016fff0880 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000078c2fc50 5 bytes JMP 000000016fff03b0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageA 0000000078c2fcd8 5 bytes JMP 000000016fff0420 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000078c303f0 9 bytes JMP 000000016fff05a8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000078c31f30 7 bytes JMP 000000016fff08f0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000078c32294 9 bytes JMP 000000016fff02d0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000078c33464 10 bytes JMP 000000016fff03e8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000078c371e8 5 bytes JMP 000000016fff0308 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetKeyState 0000000078c378c0 5 bytes JMP 000000016fff06c0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000078c38e28 7 bytes JMP 000000016fff0538 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000078c38f9c 9 bytes JMP 000000016fff04c8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostMessageW 0000000078c392d4 7 bytes JMP 000000016fff0378 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageW 0000000078c3a800 2 bytes JMP 000000016fff0458 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageW + 3 0000000078c3a803 2 bytes [3B, F7] .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000078c40bf8 5 bytes JMP 000000016fff0618 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetClipboardData 0000000078c41584 5 bytes JMP 000000016fff0848 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000078c42360 8 bytes JMP 000000016fff07d8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000078c45508 12 bytes JMP 000000016fff0570 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!mouse_event 0000000078c462c4 7 bytes JMP 000000016fff0260 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000078c491a0 8 bytes JMP 000000016fff0688 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000078c492e0 12 bytes JMP 000000016fff0490 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000078c49320 12 bytes JMP 000000016fff0298 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendInput 0000000078c493d0 8 bytes JMP 000000016fff0650 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!BlockInput 0000000078c4b430 8 bytes JMP 000000016fff0810 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000078c716e0 5 bytes JMP 000000016fff0960 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!EndTask 0000000078c71804 5 bytes JMP 000000016fff01f0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!keybd_event 0000000078c94474 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000078c9cc58 5 bytes JMP 000000016fff05e0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000078c9dec8 7 bytes JMP 000000016fff0500 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\WINSTA.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 0000080070500340 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\WINSTA.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 0000080070500340 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\WINSTA.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 00000800705003b0 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\System32\svchost.exe[596] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\System32\svchost.exe[596] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\System32\svchost.exe[596] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Windows\System32\svchost.exe[596] C:\Windows\System32\WINSTA.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 00000800705003b0 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\System32\svchost.exe[580] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\System32\svchost.exe[580] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\System32\svchost.exe[580] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Windows\System32\svchost.exe[580] C:\Windows\System32\winsta.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 00000800705003b0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\WINSTA.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 00000800705003b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\System32\spoolsv.exe[1372] C:\Windows\System32\WINSTA.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 00000800705003b0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 00000001002dce40 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 00000001002ec950 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 5 bytes JMP 00000001002eae30 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 00000001002ebac0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 00000001002e9100 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 00000001002eb4d0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 00000001002ecdb0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 00000001002ecb70 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 5 bytes JMP 00000001002eb130 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 00000001002e9b20 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 00000001002ec5e0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 00000001002e8d20 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 00000001002e9780 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 00000001002ec3d0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 00000001002ebf50 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 00000001002ec190 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001002e93b0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 00000001002ebd50 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 00000001002e5680 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 00000001002dcf60 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001002e26f0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 00000001002e3280 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 00000001002e1220 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 00000001002dcf90 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 00000001002db400 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 00000001002daec0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 00000001002da940 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 00000001002d7e60 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 00000001002dbe80 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 00000001002db940 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 00000001002dc190 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001002d90f0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 00000001002d8940 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 00000001002dbbe0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 00000001002db6a0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001002d86a0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 00000001002d7bc0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 00000001002d8e40 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001002d93a0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 00000001002dc840 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001002d84a0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 00000001002d9bd0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 00000001002dc5d0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 00000001002da3c0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 00000001002d9920 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 00000001002db160 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 00000001002dac00 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 00000001002dc3b0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 00000001002d9e80 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 00000001002d9650 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 00000001002d8090 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001002d79b0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001002e67b0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001002e69c0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 00000001002da680 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 00000001002da120 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001002d82a0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 00000001002d8c20 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 00000001002edf90 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 00000001002e5d00 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 00000001002e6520 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 5 bytes JMP 00000001002e6d50 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 5 bytes JMP 00000001002e5d40 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 5 bytes JMP 00000001002e6270 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 5 bytes JMP 00000001002e6c50 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 00000001002e5fe0 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1608] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 00000001002e1b50 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 000000010037ce40 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 000000010038c950 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 5 bytes JMP 000000010038ae30 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 000000010038bac0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 0000000100389100 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 000000010038b4d0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 000000010038cdb0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 000000010038cb70 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 5 bytes JMP 000000010038b130 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 0000000100389b20 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 000000010038c5e0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 0000000100388d20 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 0000000100389780 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 000000010038c3d0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 000000010038bf50 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 000000010038c190 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001003893b0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 000000010038bd50 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 0000000100385680 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 000000010037cf60 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001003826f0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 0000000100383280 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 0000000100381220 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 000000010037cf90 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 0000000100381b50 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 000000010037b400 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 000000010037aec0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 000000010037a940 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 0000000100377e60 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 000000010037be80 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 000000010037b940 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 000000010037c190 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001003790f0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 0000000100378940 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 000000010037bbe0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 000000010037b6a0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001003786a0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 0000000100377bc0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 0000000100378e40 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001003793a0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 000000010037c840 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001003784a0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 0000000100379bd0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 000000010037c5d0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 000000010037a3c0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 0000000100379920 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 000000010037b160 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 000000010037ac00 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 000000010037c3b0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 0000000100379e80 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 0000000100379650 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 0000000100378090 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001003779b0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001003867b0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001003869c0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 000000010037a680 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 000000010037a120 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001003782a0 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 0000000100378c20 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 000000010038df90 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 0000000100385d00 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 0000000100386520 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 3 bytes JMP 0000000100386d50 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCA + 4 000000007dac95f8 1 byte [82] .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 3 bytes JMP 0000000100385d40 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!StretchBlt + 4 000000007dacba59 1 byte [82] .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 3 bytes JMP 0000000100386270 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!MaskBlt + 4 000000007dacc753 1 byte [82] .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 3 bytes JMP 0000000100386c50 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCW + 4 000000007dace461 1 byte [82] .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 0000000100385fe0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 000000010018ce40 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 000000010019c950 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 5 bytes JMP 000000010019ae30 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 000000010019bac0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 0000000100199100 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 000000010019b4d0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 000000010019cdb0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 000000010019cb70 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 5 bytes JMP 000000010019b130 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 0000000100199b20 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 000000010019c5e0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 0000000100198d20 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 0000000100199780 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 000000010019c3d0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 000000010019bf50 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 000000010019c190 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001001993b0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 000000010019bd50 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 0000000100195680 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 000000010018cf60 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001001926f0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 0000000100193280 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 0000000100191220 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 000000010018cf90 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 000000010018b400 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 000000010018aec0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 000000010018a940 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 0000000100187e60 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 000000010018be80 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 000000010018b940 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 000000010018c190 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001001890f0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 0000000100188940 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 000000010018bbe0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 000000010018b6a0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001001886a0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 0000000100187bc0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 0000000100188e40 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001001893a0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 000000010018c840 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001001884a0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 0000000100189bd0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 000000010018c5d0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 000000010018a3c0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 0000000100189920 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 000000010018b160 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 000000010018ac00 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 000000010018c3b0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 0000000100189e80 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 0000000100189650 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 0000000100188090 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001001879b0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001001967b0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001001969c0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 000000010018a680 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 000000010018a120 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001001882a0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 0000000100188c20 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 000000010019df90 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 0000000100195d00 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 0000000100196520 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 5 bytes JMP 0000000100196d50 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 5 bytes JMP 0000000100195d40 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 5 bytes JMP 0000000100196270 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 5 bytes JMP 0000000100196c50 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 0000000100195fe0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 0000000100191b50 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\fltlib.dll!FilterConnectCommunicationPort 00000000403f12c6 5 bytes JMP 000000010018ceb0 .text C:\Windows\SysWOW64\svchost.exe[1672] C:\Windows\SysWOW64\fltlib.dll!FilterSendMessage 00000000403f2384 5 bytes JMP 000000010018ce70 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\System32\svchost.exe[1696] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\System32\svchost.exe[1724] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 000000010023ce40 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 000000010024c950 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 5 bytes JMP 000000010024ae30 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 000000010024bac0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 0000000100249100 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 000000010024b4d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 000000010024cdb0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 000000010024cb70 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 5 bytes JMP 000000010024b130 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 0000000100249b20 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 000000010024c5e0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 0000000100248d20 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 0000000100249780 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 000000010024c3d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 000000010024bf50 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 000000010024c190 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001002493b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 000000010024bd50 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 0000000100245680 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 000000010023cf60 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001002426f0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 0000000100243280 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 0000000100241220 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 000000010023cf90 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 000000010023b400 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 000000010023aec0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 000000010023a940 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 0000000100237e60 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 000000010023be80 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 000000010023b940 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 000000010023c190 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001002390f0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 0000000100238940 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 000000010023bbe0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 000000010023b6a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001002386a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 0000000100237bc0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 0000000100238e40 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001002393a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 000000010023c840 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001002384a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 0000000100239bd0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 000000010023c5d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 000000010023a3c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 0000000100239920 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 000000010023b160 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 000000010023ac00 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 000000010023c3b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 0000000100239e80 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 0000000100239650 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 0000000100238090 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001002379b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001002467b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001002469c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 000000010023a680 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 000000010023a120 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001002382a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 0000000100238c20 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 000000010024df90 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 0000000100245d00 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 0000000100246520 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 5 bytes JMP 0000000100246d50 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 5 bytes JMP 0000000100245d40 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 5 bytes JMP 0000000100246270 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 5 bytes JMP 0000000100246c50 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 0000000100245fe0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 0000000100241b50 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\fltlib.dll!FilterConnectCommunicationPort 00000000403f12c6 5 bytes JMP 000000010023ceb0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\SysWOW64\fltlib.dll!FilterSendMessage 00000000403f2384 5 bytes JMP 000000010023ce70 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007257a2d4 5 bytes JMP 000000010024e1d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1772] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007259583f 5 bytes JMP 000000010024e410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] C:\Windows\system32\WINSTA.dll!WinStationTerminateProcess 000007ff71c0d444 5 bytes JMP 00000800705003b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[612] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe[1436] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Program Files (x86)\AVG\AVG2013\avgemca.exe[1280] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\taskhost.exe[2704] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\Explorer.EXE[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\Explorer.EXE[2768] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 00000001028bce40 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 00000001028cc950 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 5 bytes JMP 00000001028cae30 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 00000001028cbac0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 00000001028c9100 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 00000001028cb4d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 00000001028ccdb0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 00000001028ccb70 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 5 bytes JMP 00000001028cb130 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 00000001028c9b20 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 00000001028cc5e0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 00000001028c8d20 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 00000001028c9780 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 00000001028cc3d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 00000001028cbf50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 00000001028cc190 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001028c93b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 00000001028cbd50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 00000001028c5680 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 00000001028bcf60 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001028c26f0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 00000001028c3280 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 00000001028c1220 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 00000001028bcf90 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 00000001028c5d00 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 00000001028c6520 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 5 bytes JMP 00000001028c6d50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 5 bytes JMP 00000001028c5d40 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 5 bytes JMP 00000001028c6270 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 5 bytes JMP 00000001028c6c50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 00000001028c5fe0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 00000001028bb400 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 00000001028baec0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 00000001028ba940 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 00000001028b7e60 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 00000001028bbe80 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 00000001028bb940 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 00000001028bc190 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001028b90f0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 00000001028b8940 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 00000001028bbbe0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 00000001028bb6a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001028b86a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 00000001028b7bc0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 00000001028b8e40 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001028b93a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 00000001028bc840 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001028b84a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 00000001028b9bd0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 00000001028bc5d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 00000001028ba3c0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 00000001028b9920 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 00000001028bb160 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 00000001028bac00 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 00000001028bc3b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 00000001028b9e80 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 00000001028b9650 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 00000001028b8090 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001028b79b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001028c67b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001028c69c0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 00000001028ba680 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 00000001028ba120 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001028b82a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 00000001028b8c20 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 00000001028cdf90 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 00000001028c1b50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007257a2d4 5 bytes JMP 00000001028ce1d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3052] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007259583f 5 bytes JMP 00000001028ce410 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 00000001007bce40 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 00000001007cc950 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 5 bytes JMP 00000001007cae30 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 00000001007cbac0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 00000001007c9100 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 00000001007cb4d0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 00000001007ccdb0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 00000001007ccb70 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 5 bytes JMP 00000001007cb130 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 00000001007c9b20 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 00000001007cc5e0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 00000001007c8d20 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 00000001007c9780 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 00000001007cc3d0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 00000001007cbf50 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 00000001007cc190 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001007c93b0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 00000001007cbd50 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 00000001007c5680 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 00000001007bcf60 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001007c26f0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 00000001007c3280 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 00000001007c1220 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 00000001007bcf90 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 00000001007c1b50 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 00000001007bb400 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 00000001007baec0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 00000001007ba940 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 00000001007b7e60 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 00000001007bbe80 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 00000001007bb940 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 00000001007bc190 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001007b90f0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 00000001007b8940 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 00000001007bbbe0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 00000001007bb6a0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001007b86a0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 00000001007b7bc0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 00000001007b8e40 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001007b93a0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 00000001007bc840 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001007b84a0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 00000001007b9bd0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 00000001007bc5d0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 00000001007ba3c0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 00000001007b9920 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 00000001007bb160 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 00000001007bac00 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 00000001007bc3b0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 00000001007b9e80 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 00000001007b9650 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 00000001007b8090 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001007b79b0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001007c67b0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001007c69c0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 00000001007ba680 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 00000001007ba120 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001007b82a0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 00000001007b8c20 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 00000001007cdf90 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 00000001007c5d00 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 00000001007c6520 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 5 bytes JMP 00000001007c6d50 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 5 bytes JMP 00000001007c5d40 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 5 bytes JMP 00000001007c6270 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 5 bytes JMP 00000001007c6c50 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 00000001007c5fe0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007257a2d4 5 bytes JMP 00000001007ce1d0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[2556] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007259583f 5 bytes JMP 00000001007ce410 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500308 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500228 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 0000080070500260 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 00000800705001f0 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 00000800705001b8 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500298 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 0000080070500340 .text C:\Windows\system32\svchost.exe[2156] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 0000080070500378 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007de8f951 7 bytes {MOV EDX, 0xc06228; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 000000010187ce40 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007de8fb95 7 bytes {MOV EDX, 0xc06268; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007de8fbc5 7 bytes {MOV EDX, 0xc061a8; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007de8fbdd 7 bytes {MOV EDX, 0xc06128; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007de8fbf5 7 bytes {MOV EDX, 0xc06328; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007de8fc25 7 bytes {MOV EDX, 0xc06368; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 000000010188c950 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007de8fca5 7 bytes {MOV EDX, 0xc062e8; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007de8fcbd 7 bytes {MOV EDX, 0xc062a8; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 12 bytes JMP 000000010188ae30 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 000000010188bac0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007de8fe01 7 bytes {MOV EDX, 0xc060a8; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 0000000101889100 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 000000010188b4d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 000000010188cdb0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 000000010188cb70 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 12 bytes JMP 000000010188b130 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 0000000101889b20 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 000000010188c5e0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 0000000101888d20 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 0000000101889780 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 000000010188c3d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 000000010188bf50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 000000007de91065 7 bytes {MOV EDX, 0xc061e8; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007de910dd 7 bytes {MOV EDX, 0xc06168; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 000000007de912e1 7 bytes {MOV EDX, 0xc060e8; JMP RDX} .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 000000010188c190 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001018893b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 000000010188bd50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 0000000101885680 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 000000010187cf60 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001018826f0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 0000000101883280 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 0000000101881220 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 000000010187cf90 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 0000000101885d00 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 0000000101886520 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 5 bytes JMP 0000000101886d50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 5 bytes JMP 0000000101885d40 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 5 bytes JMP 0000000101886270 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 5 bytes JMP 0000000101886c50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 0000000101885fe0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 000000010187b400 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 000000010187aec0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 000000010187a940 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 0000000101877e60 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 000000010187be80 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 000000010187b940 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 000000010187c190 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001018790f0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 0000000101878940 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 000000010187bbe0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 000000010187b6a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001018786a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 0000000101877bc0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 0000000101878e40 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001018793a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 000000010187c840 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001018784a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 0000000101879bd0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 000000010187c5d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 000000010187a3c0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 0000000101879920 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 000000010187b160 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 000000010187ac00 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 000000010187c3b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 0000000101879e80 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 0000000101879650 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 0000000101878090 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001018779b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001018867b0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001018869c0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 000000010187a680 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 000000010187a120 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001018782a0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 0000000101878c20 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 000000010188df90 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 0000000101881b50 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007257a2d4 5 bytes JMP 000000010188e1d0 .text C:\Users\Grzegorz Szczotka\AppData\Local\Pokki\Engine\pokki.exe[3668] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007259583f 5 bytes JMP 000000010188e410 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007ff7ff5a1a0 7 bytes JMP 0000080070500180 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3468] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000078e72fd0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000078e84a20 5 bytes JMP 000000016fff0d50 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000078e9ffa0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000078ea0170 8 bytes JMP 000000016fff0a78 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000078ea01e0 8 bytes JMP 000000016fff0c00 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000078ea0220 8 bytes JMP 000000016fff0b90 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000078ea02c0 8 bytes JMP 000000016fff0c38 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000078ea0350 8 bytes JMP 000000016fff0b58 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000078ea0390 8 bytes JMP 000000016fff0998 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000078ea03e0 8 bytes JMP 000000016fff09d0 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000078ea0400 8 bytes JMP 000000016fff0bc8 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000078ea05f0 8 bytes JMP 000000016fff0d18 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000078ea07d0 8 bytes JMP 000000016fff0ab0 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000078ea0920 8 bytes JMP 000000016fff0c70 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000078ea0930 8 bytes JMP 000000016fff0ce0 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000078ea0ca0 8 bytes JMP 000000016fff0ae8 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000078ea0d30 8 bytes JMP 000000016fff0ca8 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000078ea15a0 8 bytes JMP 000000016fff0b20 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000078ea1620 8 bytes JMP 000000016fff0a08 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000078ea16a0 8 bytes JMP 000000016fff0a40 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 0000000078d2b3d0 12 bytes JMP 000000016fff01b8 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000078d3e7b0 12 bytes JMP 000000016fff0148 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000078db8730 7 bytes JMP 000000016fff0180 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007ff38894920 7 bytes JMP 000007ff70500148 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\GDI32.dll!DeleteDC 000007ff7fd7222c 5 bytes JMP 0000080070500378 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\GDI32.dll!BitBlt 000007ff7fd72418 5 bytes JMP 0000080070500298 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\GDI32.dll!MaskBlt 000007ff7fd773b0 5 bytes JMP 00000800705002d0 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\GDI32.dll!CreateDCW 000007ff7fd78258 9 bytes JMP 0000080070500260 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\GDI32.dll!CreateDCA 000007ff7fd78378 9 bytes JMP 0000080070500228 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\GDI32.dll!StretchBlt 000007ff7fd7bb44 5 bytes JMP 0000080070500340 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\GDI32.dll!PlgBlt 000007ff7fd7dc78 5 bytes JMP 0000080070500308 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\ole32.dll!CoCreateInstanceEx 000007ff7a5fd630 5 bytes JMP 00000800705001b8 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\System32\ole32.dll!CoGetClassObject 000007ff7a617728 5 bytes JMP 00000800705001f0 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007ff70512370 7 bytes JMP 00000800705000d8 .text C:\Windows\system32\AUDIODG.EXE[4084] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007ff70512598 10 bytes JMP 0000080070500110 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007de8f980 5 bytes JMP 000000011001ce40 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007de8fc50 5 bytes JMP 000000011002c950 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007de8fd04 5 bytes JMP 000000011002ae30 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007de8fd68 5 bytes JMP 000000011002bac0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007de8fe60 5 bytes JMP 0000000110029100 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007de8ff44 5 bytes JMP 000000011002b4d0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007de8ffa4 5 bytes JMP 000000011002cdb0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 000000007de90024 5 bytes JMP 000000011002cb70 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 000000007de90054 5 bytes JMP 000000011002b130 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 000000007de90358 5 bytes JMP 0000000110029b20 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 000000007de90634 5 bytes JMP 000000011002c5e0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007de9082c 5 bytes JMP 0000000110028d20 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 000000007de90844 5 bytes JMP 0000000110029780 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 000000007de90d94 5 bytes JMP 000000011002c3d0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 000000007de90e78 5 bytes JMP 000000011002bf50 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 000000007de91b84 5 bytes JMP 000000011002c190 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 000000007de91c54 5 bytes JMP 00000001100293b0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 000000007de91d2c 5 bytes JMP 000000011002bd50 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007deac0a2 5 bytes JMP 0000000110025680 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007deb1067 7 bytes JMP 000000011001cf60 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007dd7102d 5 bytes JMP 00000001100226f0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\kernel32.dll!CreateProcessA 000000007dd71062 5 bytes JMP 0000000110023280 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007dd9126f 5 bytes JMP 0000000110021220 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007d85eae7 5 bytes JMP 000000011001cf90 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 000000007dc68e6e 5 bytes JMP 000000011001b400 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007dc6cd35 5 bytes JMP 000000011001aec0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007dc6d0da 5 bytes JMP 000000011001a940 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007dc6d277 5 bytes JMP 0000000110017e60 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007dc6f0e6 5 bytes JMP 000000011001be80 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!PostMessageW 000000007dc70f14 5 bytes JMP 000000011001b940 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 000000007dc70f9f 7 bytes JMP 000000011001c190 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007dc72902 5 bytes JMP 00000001100190f0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!MoveWindow 000000007dc735fb 5 bytes JMP 0000000110018940 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!PostMessageA 000000007dc73cbf 5 bytes JMP 000000011001bbe0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 000000007dc73d76 5 bytes JMP 000000011001b6a0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SetParent 000000007dc73f14 5 bytes JMP 00000001100186a0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!EnableWindow 000000007dc73f54 5 bytes JMP 0000000110017bc0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007dc74858 5 bytes JMP 0000000110018e40 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007dc7492a 5 bytes JMP 00000001100193a0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007dc78364 5 bytes JMP 000000011001c840 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007dc7b7e6 5 bytes JMP 00000001100184a0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007dc7c991 5 bytes JMP 0000000110019bd0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007dc806b3 5 bytes JMP 000000011001c5d0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007dc8090f 5 bytes JMP 000000011001a3c0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007dc82959 5 bytes JMP 0000000110019920 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007dc8eef4 5 bytes JMP 000000011001b160 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007dc8f422 5 bytes JMP 000000011001ac00 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007dc8f9b0 7 bytes JMP 000000011001c3b0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 000000007dc90f60 5 bytes JMP 0000000110019e80 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendInput 000000007dc9195e 5 bytes JMP 0000000110019650 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!GetClipboardData 000000007dca9f3b 5 bytes JMP 0000000110018090 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007dcb15ef 5 bytes JMP 00000001100179b0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!mouse_event 000000007dcc040b 5 bytes JMP 00000001100267b0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!keybd_event 000000007dcc044f 5 bytes JMP 00000001100269c0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 000000007dcc6e8c 5 bytes JMP 000000011001a680 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 000000007dcc6eed 5 bytes JMP 000000011001a120 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!BlockInput 000000007dcc7f67 5 bytes JMP 00000001100182a0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 000000007dcc8a7b 5 bytes JMP 0000000110018c20 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\USER32.dll!EndTask 000000007dcca826 5 bytes JMP 000000011002df90 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\GDI32.dll!DeleteDC 000000007dac5876 5 bytes JMP 0000000110025d00 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\GDI32.dll!BitBlt 000000007dac5ea6 5 bytes JMP 0000000110026520 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\GDI32.dll!CreateDCA 000000007dac95f4 5 bytes JMP 0000000110026d50 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007dacba55 5 bytes JMP 0000000110025d40 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007dacc74f 5 bytes JMP 0000000110026270 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007dace45d 5 bytes JMP 0000000110026c50 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007daf4636 5 bytes JMP 0000000110025fe0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077ca14fd 5 bytes JMP 0000000110021b50 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007257a2d4 5 bytes JMP 000000011002e1d0 .text C:\Users\Grzegorz Szczotka\Downloads\xj4gpv0y.exe[3392] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007259583f 5 bytes JMP 000000011002e410 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7ff7234741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7ff72345f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7ff72345674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7ff72345e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7ff72347f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7ff72346a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7ff72346ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7ff72347b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7ff72347ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7ff723478b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7ff72344fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7ff72345d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1836] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7ff72347584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x88 0x87 0x9E 0xB2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1F 0x90 0x85 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3F 0x93 0xA1 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x88 0x87 0x9E 0xB2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1F 0x90 0x85 0x77 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3F 0x93 0xA1 0xC6 ... ---- Files - GMER 2.1 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes ---- EOF - GMER 2.1 ----