API tools faq
paste
Advertisement
Guest User

gmer

a guest
Jul 1st, 2013
75
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 230.79 KB | None | 0 0
raw download clone embed print report
  1. GMER 2.1.19163 - http://www.gmer.net
  2. Rootkit scan 2013-07-01 01:11:05
  3. Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000073 TOSHIBA_ rev.GH10 232.89GB
  4. Running: mfwfrjzb.exe; Driver: C:\Users\JANESE~1\AppData\Local\Temp\uxdyiuoc.sys
  5.  
  6.  
  7. ---- Kernel code sections - GMER 2.1 ----
  8.  
  9. .text C:\windows\System32\win32k.sys!W32pServiceTable
  10.  
  11. fffff96000194000 7 bytes [80, 93, F3, FF, 01, 9D, F0]
  12. .text C:\windows\System32\win32k.sys!W32pServiceTable + 8
  13.  
  14. fffff96000194008 3 bytes [C0, 06, 02]
  15.  
  16. ---- User code sections - GMER 2.1 ----
  17.  
  18. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  19.  
  20. 00000000770fa420 12 bytes JMP 000000016fff01b8
  21. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\kernel32.dll!CreateProcessW
  22.  
  23. 0000000077111b50 12 bytes JMP 000000016fff0148
  24. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\kernel32.dll!CreateProcessA
  25.  
  26. 0000000077188810 7 bytes JMP 000000016fff0180
  27. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  28.  
  29. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  30. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!RegisterRawInputDevices
  31.  
  32. 0000000077216ef0 8 bytes JMP 000000016fff06f8
  33. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SystemParametersInfoA
  34.  
  35. 0000000077218184 7 bytes JMP 000000016fff0880
  36. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SetParent
  37.  
  38. 0000000077218530 8 bytes JMP 000000016fff0730
  39. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!PostMessageA
  40.  
  41. 000000007721a404 5 bytes JMP 000000016fff0308
  42. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!EnableWindow
  43.  
  44. 000000007721aaa0 9 bytes JMP 000000016fff08f0
  45. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!MoveWindow
  46.  
  47. 000000007721aad0 8 bytes JMP 000000016fff0768
  48. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!GetAsyncKeyState
  49.  
  50. 000000007721c720 5 bytes JMP 000000016fff06c0
  51. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!RegisterHotKey
  52.  
  53. 000000007721cd50 8 bytes JMP 000000016fff0848
  54. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!PostThreadMessageA
  55.  
  56. 000000007721d2b0 5 bytes JMP 000000016fff0378
  57. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendMessageA
  58.  
  59. 000000007721d338 5 bytes JMP 000000016fff03e8
  60. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendNotifyMessageW
  61.  
  62. 000000007721dc40 9 bytes JMP 000000016fff0570
  63. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SystemParametersInfoW
  64.  
  65. 000000007721f510 7 bytes JMP 000000016fff08b8
  66. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SetWindowsHookExW
  67.  
  68. 000000007721f874 9 bytes JMP 000000016fff0298
  69. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendMessageTimeoutW
  70.  
  71. 000000007721fac0 9 bytes JMP 000000016fff0490
  72. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!PostThreadMessageW
  73.  
  74. 0000000077220b74 10 bytes JMP 000000016fff03b0
  75. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SetWinEventHook
  76.  
  77. 0000000077224d4c 5 bytes JMP 000000016fff02d0
  78. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!GetKeyState
  79.  
  80. 0000000077225010 5 bytes JMP 000000016fff0688
  81. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendMessageCallbackW
  82.  
  83. 0000000077225438 7 bytes JMP 000000016fff0500
  84. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendMessageW
  85.  
  86. 0000000077226b50 5 bytes JMP 000000016fff0420
  87. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!PostMessageW
  88.  
  89. 00000000772276e4 7 bytes JMP 000000016fff0340
  90. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendDlgItemMessageW
  91.  
  92. 000000007722dd90 5 bytes JMP 000000016fff05e0
  93. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!GetClipboardData
  94.  
  95. 000000007722e874 5 bytes JMP 000000016fff0810
  96. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SetClipboardViewer
  97.  
  98. 000000007722f780 8 bytes JMP 000000016fff07a0
  99. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendNotifyMessageA
  100.  
  101. 00000000772328e4 12 bytes JMP 000000016fff0538
  102. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!mouse_event
  103.  
  104. 0000000077233894 7 bytes JMP 000000016fff0228
  105. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!GetKeyboardState
  106.  
  107. 0000000077238a10 8 bytes JMP 000000016fff0650
  108. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendMessageTimeoutA
  109.  
  110. 0000000077238be0 12 bytes JMP 000000016fff0458
  111. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SetWindowsHookExA
  112.  
  113. 0000000077238c20 12 bytes JMP 000000016fff0260
  114. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendInput
  115.  
  116. 0000000077238cd0 8 bytes JMP 000000016fff0618
  117. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!BlockInput
  118.  
  119. 000000007723ad60 8 bytes JMP 000000016fff07d8
  120. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!ExitWindowsEx
  121.  
  122. 00000000772614e0 5 bytes JMP 000000016fff0928
  123. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!keybd_event
  124.  
  125. 00000000772845a4 7 bytes JMP 000000016fff01f0
  126. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendDlgItemMessageA
  127.  
  128. 000000007728cc08 5 bytes JMP 000000016fff05a8
  129. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\USER32.dll!SendMessageCallbackA
  130.  
  131. 000000007728df18 7 bytes JMP 000000016fff04c8
  132. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!DeleteDC
  133.  
  134. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  135. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!BitBlt
  136.  
  137. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  138. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!MaskBlt
  139.  
  140. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  141. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!CreateDCW
  142.  
  143. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  144. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!CreateDCA
  145.  
  146. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  147. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!GetPixel
  148.  
  149. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  150. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!StretchBlt
  151.  
  152. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  153. .text C:\windows\system32\wininit.exe[492] C:\windows\system32\GDI32.dll!PlgBlt
  154.  
  155. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  156. .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort
  157.  
  158. 00000000773613c0 8 bytes JMP 000000016fff00d8
  159. .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx
  160.  
  161. 00000000773615c0 8 bytes JMP 000000016fff0110
  162. .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  163.  
  164. 0000000077361b60 8 bytes JMP 000000016fff0148
  165. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  166.  
  167. 0000000077333ae0 5 bytes JMP 000000016fff0110
  168. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  169.  
  170. 0000000077337a90 5 bytes JMP 000000016fff0d50
  171. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtClose
  172.  
  173. 0000000077361400 8 bytes JMP 000000016fff00d8
  174. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  175.  
  176. 00000000773615d0 8 bytes JMP 000000016fff0a78
  177. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  178.  
  179. 0000000077361640 8 bytes JMP 000000016fff0c00
  180. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  181.  
  182. 0000000077361680 8 bytes JMP 000000016fff0b90
  183. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  184.  
  185. 0000000077361720 8 bytes JMP 000000016fff0c38
  186. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  187.  
  188. 00000000773617b0 8 bytes JMP 000000016fff0b58
  189. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  190.  
  191. 00000000773617f0 8 bytes JMP 000000016fff0998
  192. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  193.  
  194. 0000000077361840 1 byte JMP 000000016fff09d0
  195. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  196.  
  197. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  198. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  199.  
  200. 0000000077361860 8 bytes JMP 000000016fff0bc8
  201. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  202.  
  203. 0000000077361a50 8 bytes JMP 000000016fff0d18
  204. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  205.  
  206. 0000000077361b60 8 bytes JMP 000000016fff0960
  207. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  208.  
  209. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  210. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  211.  
  212. 0000000077361d80 8 bytes JMP 000000016fff0c70
  213. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  214.  
  215. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  216. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  217.  
  218. 0000000077362100 8 bytes JMP 000000016fff0ae8
  219. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  220.  
  221. 0000000077362190 8 bytes JMP 000000016fff0ca8
  222. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  223.  
  224. 0000000077362a00 8 bytes JMP 000000016fff0b20
  225. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  226.  
  227. 0000000077362a80 8 bytes JMP 000000016fff0a08
  228. .text C:\windows\system32\services.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  229.  
  230. 0000000077362b00 8 bytes JMP 000000016fff0a40
  231. .text C:\windows\system32\services.exe[552] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  232.  
  233. 00000000770fa420 12 bytes JMP 000000016fff01b8
  234. .text C:\windows\system32\services.exe[552] C:\windows\system32\kernel32.dll!CreateProcessW
  235.  
  236. 0000000077111b50 12 bytes JMP 000000016fff0148
  237. .text C:\windows\system32\services.exe[552] C:\windows\system32\kernel32.dll!CreateProcessA
  238.  
  239. 0000000077188810 7 bytes JMP 000000016fff0180
  240. .text C:\windows\system32\services.exe[552] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  241.  
  242. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  243. .text C:\windows\system32\services.exe[552] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx
  244.  
  245. 000007fefeac6bd0 5 bytes JMP 000007fffd0c01b8
  246. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!RegisterRawInputDevices
  247.  
  248. 0000000077216ef0 8 bytes JMP 000000016fff06f8
  249. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SystemParametersInfoA
  250.  
  251. 0000000077218184 7 bytes JMP 000000016fff0880
  252. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SetParent
  253.  
  254. 0000000077218530 8 bytes JMP 000000016fff0730
  255. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!PostMessageA
  256.  
  257. 000000007721a404 5 bytes JMP 000000016fff0308
  258. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!EnableWindow
  259.  
  260. 000000007721aaa0 9 bytes JMP 000000016fff08f0
  261. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!MoveWindow
  262.  
  263. 000000007721aad0 8 bytes JMP 000000016fff0768
  264. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!GetAsyncKeyState
  265.  
  266. 000000007721c720 5 bytes JMP 000000016fff06c0
  267. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!RegisterHotKey
  268.  
  269. 000000007721cd50 8 bytes JMP 000000016fff0848
  270. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!PostThreadMessageA
  271.  
  272. 000000007721d2b0 5 bytes JMP 000000016fff0378
  273. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendMessageA
  274.  
  275. 000000007721d338 5 bytes JMP 000000016fff03e8
  276. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendNotifyMessageW
  277.  
  278. 000000007721dc40 9 bytes JMP 000000016fff0570
  279. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SystemParametersInfoW
  280.  
  281. 000000007721f510 7 bytes JMP 000000016fff08b8
  282. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SetWindowsHookExW
  283.  
  284. 000000007721f874 9 bytes JMP 000000016fff0298
  285. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendMessageTimeoutW
  286.  
  287. 000000007721fac0 9 bytes JMP 000000016fff0490
  288. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!PostThreadMessageW
  289.  
  290. 0000000077220b74 10 bytes JMP 000000016fff03b0
  291. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SetWinEventHook
  292.  
  293. 0000000077224d4c 5 bytes JMP 000000016fff02d0
  294. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!GetKeyState
  295.  
  296. 0000000077225010 5 bytes JMP 000000016fff0688
  297. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendMessageCallbackW
  298.  
  299. 0000000077225438 7 bytes JMP 000000016fff0500
  300. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendMessageW
  301.  
  302. 0000000077226b50 5 bytes JMP 000000016fff0420
  303. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!PostMessageW
  304.  
  305. 00000000772276e4 7 bytes JMP 000000016fff0340
  306. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendDlgItemMessageW
  307.  
  308. 000000007722dd90 5 bytes JMP 000000016fff05e0
  309. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!GetClipboardData
  310.  
  311. 000000007722e874 5 bytes JMP 000000016fff0810
  312. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SetClipboardViewer
  313.  
  314. 000000007722f780 8 bytes JMP 000000016fff07a0
  315. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendNotifyMessageA
  316.  
  317. 00000000772328e4 12 bytes JMP 000000016fff0538
  318. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!mouse_event
  319.  
  320. 0000000077233894 7 bytes JMP 000000016fff0228
  321. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!GetKeyboardState
  322.  
  323. 0000000077238a10 8 bytes JMP 000000016fff0650
  324. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendMessageTimeoutA
  325.  
  326. 0000000077238be0 12 bytes JMP 000000016fff0458
  327. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SetWindowsHookExA
  328.  
  329. 0000000077238c20 12 bytes JMP 000000016fff0260
  330. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendInput
  331.  
  332. 0000000077238cd0 8 bytes JMP 000000016fff0618
  333. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!BlockInput
  334.  
  335. 000000007723ad60 8 bytes JMP 000000016fff07d8
  336. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!ExitWindowsEx
  337.  
  338. 00000000772614e0 5 bytes JMP 000000016fff0928
  339. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!keybd_event
  340.  
  341. 00000000772845a4 7 bytes JMP 000000016fff01f0
  342. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendDlgItemMessageA
  343.  
  344. 000000007728cc08 5 bytes JMP 000000016fff05a8
  345. .text C:\windows\system32\services.exe[552] C:\windows\system32\USER32.dll!SendMessageCallbackA
  346.  
  347. 000000007728df18 7 bytes JMP 000000016fff04c8
  348. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!DeleteDC
  349.  
  350. 000007fefe3522cc 5 bytes JMP 000007fffd0c0298
  351. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!BitBlt
  352.  
  353. 000007fefe3524c0 5 bytes JMP 000007fffd0c02d0
  354. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!MaskBlt
  355.  
  356. 000007fefe355be0 5 bytes JMP 000007fffd0c0308
  357. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!CreateDCW
  358.  
  359. 000007fefe358398 9 bytes JMP 000007fffd0c0228
  360. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!CreateDCA
  361.  
  362. 000007fefe3589c8 9 bytes JMP 000007fffd0c01f0
  363. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!GetPixel
  364.  
  365. 000007fefe359344 5 bytes JMP 000007fffd0c0260
  366. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!StretchBlt
  367.  
  368. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0378
  369. .text C:\windows\system32\services.exe[552] C:\windows\system32\GDI32.dll!PlgBlt
  370.  
  371. 000007fefe365410 5 bytes JMP 000007fffd0c0340
  372. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  373.  
  374. 0000000077333ae0 5 bytes JMP 000000016fff0110
  375. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  376.  
  377. 0000000077337a90 5 bytes JMP 000000016fff0d50
  378. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtClose
  379.  
  380. 0000000077361400 8 bytes JMP 000000016fff00d8
  381. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  382.  
  383. 00000000773615d0 8 bytes JMP 000000016fff0a78
  384. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  385.  
  386. 0000000077361640 8 bytes JMP 000000016fff0c00
  387. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  388.  
  389. 0000000077361680 8 bytes JMP 000000016fff0b90
  390. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  391.  
  392. 0000000077361720 8 bytes JMP 000000016fff0c38
  393. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  394.  
  395. 00000000773617b0 8 bytes JMP 000000016fff0b58
  396. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  397.  
  398. 00000000773617f0 8 bytes JMP 000000016fff0998
  399. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  400.  
  401. 0000000077361840 1 byte JMP 000000016fff09d0
  402. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  403.  
  404. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  405. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  406.  
  407. 0000000077361860 8 bytes JMP 000000016fff0bc8
  408. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  409.  
  410. 0000000077361a50 8 bytes JMP 000000016fff0d18
  411. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  412.  
  413. 0000000077361b60 8 bytes JMP 000000016fff0960
  414. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  415.  
  416. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  417. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  418.  
  419. 0000000077361d80 8 bytes JMP 000000016fff0c70
  420. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  421.  
  422. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  423. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  424.  
  425. 0000000077362100 8 bytes JMP 000000016fff0ae8
  426. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  427.  
  428. 0000000077362190 8 bytes JMP 000000016fff0ca8
  429. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  430.  
  431. 0000000077362a00 8 bytes JMP 000000016fff0b20
  432. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  433.  
  434. 0000000077362a80 8 bytes JMP 000000016fff0a08
  435. .text C:\windows\system32\lsass.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  436.  
  437. 0000000077362b00 8 bytes JMP 000000016fff0a40
  438. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  439.  
  440. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  441. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!DeleteDC
  442.  
  443. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  444. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!BitBlt
  445.  
  446. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  447. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!MaskBlt
  448.  
  449. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  450. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!CreateDCW
  451.  
  452. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  453. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!CreateDCA
  454.  
  455. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  456. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!GetPixel
  457.  
  458. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  459. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!StretchBlt
  460.  
  461. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  462. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\GDI32.dll!PlgBlt
  463.  
  464. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  465. .text C:\windows\system32\lsass.exe[568] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA
  466.  
  467. 000007fefebfa1a0 7 bytes JMP 000007fffd0c0180
  468. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  469.  
  470. 0000000077333ae0 5 bytes JMP 000000016fff0110
  471. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  472.  
  473. 0000000077337a90 5 bytes JMP 000000016fff0d50
  474. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtClose
  475.  
  476. 0000000077361400 8 bytes JMP 000000016fff00d8
  477. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  478.  
  479. 00000000773615d0 8 bytes JMP 000000016fff0a78
  480. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  481.  
  482. 0000000077361640 8 bytes JMP 000000016fff0c00
  483. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  484.  
  485. 0000000077361680 8 bytes JMP 000000016fff0b90
  486. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  487.  
  488. 0000000077361720 8 bytes JMP 000000016fff0c38
  489. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  490.  
  491. 00000000773617b0 8 bytes JMP 000000016fff0b58
  492. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  493.  
  494. 00000000773617f0 8 bytes JMP 000000016fff0998
  495. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  496.  
  497. 0000000077361840 1 byte JMP 000000016fff09d0
  498. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  499.  
  500. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  501. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  502.  
  503. 0000000077361860 8 bytes JMP 000000016fff0bc8
  504. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  505.  
  506. 0000000077361a50 8 bytes JMP 000000016fff0d18
  507. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  508.  
  509. 0000000077361b60 8 bytes JMP 000000016fff0960
  510. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  511.  
  512. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  513. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  514.  
  515. 0000000077361d80 8 bytes JMP 000000016fff0c70
  516. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  517.  
  518. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  519. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  520.  
  521. 0000000077362100 8 bytes JMP 000000016fff0ae8
  522. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  523.  
  524. 0000000077362190 8 bytes JMP 000000016fff0ca8
  525. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  526.  
  527. 0000000077362a00 8 bytes JMP 000000016fff0b20
  528. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  529.  
  530. 0000000077362a80 8 bytes JMP 000000016fff0a08
  531. .text C:\windows\system32\lsm.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  532.  
  533. 0000000077362b00 8 bytes JMP 000000016fff0a40
  534. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  535.  
  536. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  537. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!DeleteDC
  538.  
  539. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  540. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!BitBlt
  541.  
  542. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  543. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!MaskBlt
  544.  
  545. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  546. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!CreateDCW
  547.  
  548. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  549. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!CreateDCA
  550.  
  551. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  552. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!GetPixel
  553.  
  554. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  555. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!StretchBlt
  556.  
  557. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  558. .text C:\windows\system32\lsm.exe[580] C:\windows\system32\GDI32.dll!PlgBlt
  559.  
  560. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  561. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  562.  
  563. 0000000077333ae0 5 bytes JMP 000000016fff0110
  564. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  565.  
  566. 0000000077337a90 5 bytes JMP 000000016fff0d50
  567. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtClose
  568.  
  569. 0000000077361400 8 bytes JMP 000000016fff00d8
  570. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  571.  
  572. 00000000773615d0 8 bytes JMP 000000016fff0a78
  573. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  574.  
  575. 0000000077361640 8 bytes JMP 000000016fff0c00
  576. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  577.  
  578. 0000000077361680 8 bytes JMP 000000016fff0b90
  579. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  580.  
  581. 0000000077361720 8 bytes JMP 000000016fff0c38
  582. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  583.  
  584. 00000000773617b0 8 bytes JMP 000000016fff0b58
  585. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  586.  
  587. 00000000773617f0 8 bytes JMP 000000016fff0998
  588. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  589.  
  590. 0000000077361840 1 byte JMP 000000016fff09d0
  591. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  592.  
  593. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  594. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  595.  
  596. 0000000077361860 8 bytes JMP 000000016fff0bc8
  597. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  598.  
  599. 0000000077361a50 8 bytes JMP 000000016fff0d18
  600. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  601.  
  602. 0000000077361b60 8 bytes JMP 000000016fff0960
  603. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  604.  
  605. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  606. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  607.  
  608. 0000000077361d80 8 bytes JMP 000000016fff0c70
  609. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  610.  
  611. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  612. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  613.  
  614. 0000000077362100 8 bytes JMP 000000016fff0ae8
  615. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  616.  
  617. 0000000077362190 8 bytes JMP 000000016fff0ca8
  618. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  619.  
  620. 0000000077362a00 8 bytes JMP 000000016fff0b20
  621. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  622.  
  623. 0000000077362a80 8 bytes JMP 000000016fff0a08
  624. .text C:\windows\system32\svchost.exe[736] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  625.  
  626. 0000000077362b00 8 bytes JMP 000000016fff0a40
  627. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  628.  
  629. 00000000770fa420 12 bytes JMP 000000016fff01b8
  630. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\kernel32.dll!CreateProcessW
  631.  
  632. 0000000077111b50 12 bytes JMP 000000016fff0148
  633. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\kernel32.dll!CreateProcessA
  634.  
  635. 0000000077188810 7 bytes JMP 000000016fff0180
  636. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  637.  
  638. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  639. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx
  640.  
  641. 000007fefeac6bd0 5 bytes JMP 000007fffd0c01b8
  642. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!DeleteDC
  643.  
  644. 000007fefe3522cc 5 bytes JMP 000007fffd0c0298
  645. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!BitBlt
  646.  
  647. 000007fefe3524c0 5 bytes JMP 000007fffd0c02d0
  648. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!MaskBlt
  649.  
  650. 000007fefe355be0 5 bytes JMP 000007fffd0c0308
  651. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!CreateDCW
  652.  
  653. 000007fefe358398 9 bytes JMP 000007fffd0c0228
  654. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!CreateDCA
  655.  
  656. 000007fefe3589c8 9 bytes JMP 000007fffd0c01f0
  657. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!GetPixel
  658.  
  659. 000007fefe359344 5 bytes JMP 000007fffd0c0260
  660. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!StretchBlt
  661.  
  662. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0378
  663. .text C:\windows\system32\svchost.exe[736] C:\windows\system32\GDI32.dll!PlgBlt
  664.  
  665. 000007fefe365410 5 bytes JMP 000007fffd0c0340
  666. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  667.  
  668. 0000000077333ae0 5 bytes JMP 000000016fff0110
  669. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  670.  
  671. 0000000077337a90 5 bytes JMP 000000016fff0d50
  672. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtClose
  673.  
  674. 0000000077361400 8 bytes JMP 000000016fff00d8
  675. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  676.  
  677. 00000000773615d0 8 bytes JMP 000000016fff0a78
  678. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  679.  
  680. 0000000077361640 8 bytes JMP 000000016fff0c00
  681. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  682.  
  683. 0000000077361680 8 bytes JMP 000000016fff0b90
  684. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  685.  
  686. 0000000077361720 8 bytes JMP 000000016fff0c38
  687. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  688.  
  689. 00000000773617b0 8 bytes JMP 000000016fff0b58
  690. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  691.  
  692. 00000000773617f0 8 bytes JMP 000000016fff0998
  693. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  694.  
  695. 0000000077361840 1 byte JMP 000000016fff09d0
  696. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  697.  
  698. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  699. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  700.  
  701. 0000000077361860 8 bytes JMP 000000016fff0bc8
  702. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  703.  
  704. 0000000077361a50 8 bytes JMP 000000016fff0d18
  705. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  706.  
  707. 0000000077361b60 8 bytes JMP 000000016fff0960
  708. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  709.  
  710. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  711. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  712.  
  713. 0000000077361d80 8 bytes JMP 000000016fff0c70
  714. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  715.  
  716. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  717. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  718.  
  719. 0000000077362100 8 bytes JMP 000000016fff0ae8
  720. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  721.  
  722. 0000000077362190 8 bytes JMP 000000016fff0ca8
  723. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  724.  
  725. 0000000077362a00 8 bytes JMP 000000016fff0b20
  726. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  727.  
  728. 0000000077362a80 8 bytes JMP 000000016fff0a08
  729. .text C:\windows\system32\svchost.exe[812] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  730.  
  731. 0000000077362b00 8 bytes JMP 000000016fff0a40
  732. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  733.  
  734. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  735. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx
  736.  
  737. 000007fefeac6bd0 5 bytes JMP 000007fffd0c01b8
  738. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!DeleteDC
  739.  
  740. 000007fefe3522cc 5 bytes JMP 000007fffd0c0298
  741. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!BitBlt
  742.  
  743. 000007fefe3524c0 5 bytes JMP 000007fffd0c02d0
  744. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!MaskBlt
  745.  
  746. 000007fefe355be0 5 bytes JMP 000007fffd0c0308
  747. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!CreateDCW
  748.  
  749. 000007fefe358398 9 bytes JMP 000007fffd0c0228
  750. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!CreateDCA
  751.  
  752. 000007fefe3589c8 9 bytes JMP 000007fffd0c01f0
  753. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!GetPixel
  754.  
  755. 000007fefe359344 5 bytes JMP 000007fffd0c0260
  756. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!StretchBlt
  757.  
  758. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0378
  759. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\GDI32.dll!PlgBlt
  760.  
  761. 000007fefe365410 5 bytes JMP 000007fffd0c0340
  762. .text C:\windows\system32\svchost.exe[812] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA
  763.  
  764. 000007fefebfa1a0 7 bytes JMP 000007fffd0c0180
  765. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  766.  
  767. 0000000077333ae0 5 bytes JMP 000000016fff0110
  768. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  769.  
  770. 0000000077337a90 5 bytes JMP 000000016fff0d50
  771. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtClose
  772.  
  773. 0000000077361400 8 bytes JMP 000000016fff00d8
  774. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  775.  
  776. 00000000773615d0 8 bytes JMP 000000016fff0a78
  777. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  778.  
  779. 0000000077361640 8 bytes JMP 000000016fff0c00
  780. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  781.  
  782. 0000000077361680 8 bytes JMP 000000016fff0b90
  783. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  784.  
  785. 0000000077361720 8 bytes JMP 000000016fff0c38
  786. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  787.  
  788. 00000000773617b0 8 bytes JMP 000000016fff0b58
  789. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  790.  
  791. 00000000773617f0 8 bytes JMP 000000016fff0998
  792. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  793.  
  794. 0000000077361840 1 byte JMP 000000016fff09d0
  795. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  796.  
  797. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  798. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  799.  
  800. 0000000077361860 8 bytes JMP 000000016fff0bc8
  801. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  802.  
  803. 0000000077361a50 8 bytes JMP 000000016fff0d18
  804. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  805.  
  806. 0000000077361b60 8 bytes JMP 000000016fff0960
  807. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  808.  
  809. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  810. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  811.  
  812. 0000000077361d80 8 bytes JMP 000000016fff0c70
  813. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  814.  
  815. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  816. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  817.  
  818. 0000000077362100 8 bytes JMP 000000016fff0ae8
  819. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  820.  
  821. 0000000077362190 8 bytes JMP 000000016fff0ca8
  822. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  823.  
  824. 0000000077362a00 8 bytes JMP 000000016fff0b20
  825. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  826.  
  827. 0000000077362a80 8 bytes JMP 000000016fff0a08
  828. .text C:\windows\system32\svchost.exe[944] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  829.  
  830. 0000000077362b00 8 bytes JMP 000000016fff0a40
  831. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  832.  
  833. 00000000770fa420 12 bytes JMP 000000016fff01b8
  834. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\kernel32.dll!CreateProcessW
  835.  
  836. 0000000077111b50 12 bytes JMP 000000016fff0148
  837. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\kernel32.dll!CreateProcessA
  838.  
  839. 0000000077188810 7 bytes JMP 000000016fff0180
  840. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  841.  
  842. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  843. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!DeleteDC
  844.  
  845. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  846. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!BitBlt
  847.  
  848. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  849. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!MaskBlt
  850.  
  851. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  852. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!CreateDCW
  853.  
  854. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  855. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!CreateDCA
  856.  
  857. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  858. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!GetPixel
  859.  
  860. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  861. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!StretchBlt
  862.  
  863. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  864. .text C:\windows\system32\svchost.exe[944] C:\windows\system32\GDI32.dll!PlgBlt
  865.  
  866. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  867. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  868.  
  869. 0000000077333ae0 5 bytes JMP 000000016fff0110
  870. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  871.  
  872. 0000000077337a90 5 bytes JMP 000000016fff0d50
  873. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtClose
  874.  
  875. 0000000077361400 8 bytes JMP 000000016fff00d8
  876. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  877.  
  878. 00000000773615d0 8 bytes JMP 000000016fff0a78
  879. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  880.  
  881. 0000000077361640 8 bytes JMP 000000016fff0c00
  882. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  883.  
  884. 0000000077361680 8 bytes JMP 000000016fff0b90
  885. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  886.  
  887. 0000000077361720 8 bytes JMP 000000016fff0c38
  888. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  889.  
  890. 00000000773617b0 8 bytes JMP 000000016fff0b58
  891. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  892.  
  893. 00000000773617f0 8 bytes JMP 000000016fff0998
  894. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  895.  
  896. 0000000077361840 1 byte JMP 000000016fff09d0
  897. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  898.  
  899. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  900. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  901.  
  902. 0000000077361860 8 bytes JMP 000000016fff0bc8
  903. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  904.  
  905. 0000000077361a50 8 bytes JMP 000000016fff0d18
  906. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  907.  
  908. 0000000077361b60 8 bytes JMP 000000016fff0960
  909. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  910.  
  911. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  912. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  913.  
  914. 0000000077361d80 8 bytes JMP 000000016fff0c70
  915. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  916.  
  917. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  918. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  919.  
  920. 0000000077362100 8 bytes JMP 000000016fff0ae8
  921. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  922.  
  923. 0000000077362190 8 bytes JMP 000000016fff0ca8
  924. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  925.  
  926. 0000000077362a00 8 bytes JMP 000000016fff0b20
  927. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  928.  
  929. 0000000077362a80 8 bytes JMP 000000016fff0a08
  930. .text C:\windows\System32\svchost.exe[984] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  931.  
  932. 0000000077362b00 8 bytes JMP 000000016fff0a40
  933. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  934.  
  935. 00000000770fa420 12 bytes JMP 000000016fff01b8
  936. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\kernel32.dll!CreateProcessW
  937.  
  938. 0000000077111b50 12 bytes JMP 000000016fff0148
  939. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\kernel32.dll!CreateProcessA
  940.  
  941. 0000000077188810 7 bytes JMP 000000016fff0180
  942. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  943.  
  944. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  945. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!DeleteDC
  946.  
  947. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  948. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!BitBlt
  949.  
  950. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  951. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!MaskBlt
  952.  
  953. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  954. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!CreateDCW
  955.  
  956. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  957. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!CreateDCA
  958.  
  959. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  960. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!GetPixel
  961.  
  962. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  963. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!StretchBlt
  964.  
  965. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  966. .text C:\windows\System32\svchost.exe[984] C:\windows\system32\GDI32.dll!PlgBlt
  967.  
  968. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  969. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  970.  
  971. 0000000077333ae0 5 bytes JMP 000000016fff0110
  972. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  973.  
  974. 0000000077337a90 5 bytes JMP 000000016fff0d50
  975. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtClose
  976.  
  977. 0000000077361400 8 bytes JMP 000000016fff00d8
  978. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  979.  
  980. 00000000773615d0 8 bytes JMP 000000016fff0a78
  981. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  982.  
  983. 0000000077361640 8 bytes JMP 000000016fff0c00
  984. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  985.  
  986. 0000000077361680 8 bytes JMP 000000016fff0b90
  987. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  988.  
  989. 0000000077361720 8 bytes JMP 000000016fff0c38
  990. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  991.  
  992. 00000000773617b0 8 bytes JMP 000000016fff0b58
  993. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  994.  
  995. 00000000773617f0 8 bytes JMP 000000016fff0998
  996. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  997.  
  998. 0000000077361840 1 byte JMP 000000016fff09d0
  999. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  1000.  
  1001. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  1002. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  1003.  
  1004. 0000000077361860 8 bytes JMP 000000016fff0bc8
  1005. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  1006.  
  1007. 0000000077361a50 8 bytes JMP 000000016fff0d18
  1008. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  1009.  
  1010. 0000000077361b60 8 bytes JMP 000000016fff0960
  1011. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  1012.  
  1013. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  1014. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  1015.  
  1016. 0000000077361d80 8 bytes JMP 000000016fff0c70
  1017. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  1018.  
  1019. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  1020. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  1021.  
  1022. 0000000077362100 8 bytes JMP 000000016fff0ae8
  1023. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  1024.  
  1025. 0000000077362190 8 bytes JMP 000000016fff0ca8
  1026. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  1027.  
  1028. 0000000077362a00 8 bytes JMP 000000016fff0b20
  1029. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  1030.  
  1031. 0000000077362a80 8 bytes JMP 000000016fff0a08
  1032. .text C:\windows\System32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  1033.  
  1034. 0000000077362b00 8 bytes JMP 000000016fff0a40
  1035. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  1036.  
  1037. 00000000770fa420 12 bytes JMP 000000016fff01b8
  1038. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\kernel32.dll!CreateProcessW
  1039.  
  1040. 0000000077111b50 12 bytes JMP 000000016fff0148
  1041. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\kernel32.dll!CreateProcessA
  1042.  
  1043. 0000000077188810 7 bytes JMP 000000016fff0180
  1044. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1045.  
  1046. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1047. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!DeleteDC
  1048.  
  1049. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1050. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!BitBlt
  1051.  
  1052. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1053. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!MaskBlt
  1054.  
  1055. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1056. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!CreateDCW
  1057.  
  1058. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1059. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!CreateDCA
  1060.  
  1061. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1062. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!GetPixel
  1063.  
  1064. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1065. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!StretchBlt
  1066.  
  1067. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1068. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\GDI32.dll!PlgBlt
  1069.  
  1070. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1071. .text C:\windows\System32\svchost.exe[1020] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA
  1072.  
  1073. 000007fefebfa1a0 7 bytes JMP 000007fffd0c0180
  1074. [snip]
  1075. .text C:\windows\system32\svchost.exe[1180] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA
  1076.  
  1077. 000007fefebfa1a0 7 bytes JMP 000007fffd0c0180
  1078. .text C:\windows\System32\spoolsv.exe[1292] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  1079.  
  1080. 0000000077333ae0 5 bytes JMP 000000016fff0110
  1081. [snip]
  1082.  
  1083. .text C:\windows\System32\spoolsv.exe[1292] C:\windows\system32\GDI32.dll!StretchBlt
  1084.  
  1085. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1086. .text C:\windows\System32\spoolsv.exe[1292] C:\windows\system32\GDI32.dll!PlgBlt
  1087.  
  1088. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1089. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  1090.  
  1091. 0000000077333ae0 5 bytes JMP 000000016fff0110
  1092. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  1093.  
  1094. 0000000077337a90 5 bytes JMP 000000016fff0d50
  1095. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtClose
  1096.  
  1097. 0000000077361400 8 bytes JMP 000000016fff00d8
  1098. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  1099.  
  1100. 00000000773615d0 8 bytes JMP 000000016fff0a78
  1101. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  1102.  
  1103. 0000000077361640 8 bytes JMP 000000016fff0c00
  1104. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  1105.  
  1106. 0000000077361680 8 bytes JMP 000000016fff0b90
  1107. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  1108.  
  1109. 0000000077361720 8 bytes JMP 000000016fff0c38
  1110. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  1111.  
  1112. 00000000773617b0 8 bytes JMP 000000016fff0b58
  1113. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  1114.  
  1115. 00000000773617f0 8 bytes JMP 000000016fff0998
  1116. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  1117.  
  1118. 0000000077361840 1 byte JMP 000000016fff09d0
  1119. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  1120.  
  1121. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  1122. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  1123.  
  1124. 0000000077361860 8 bytes JMP 000000016fff0bc8
  1125. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  1126.  
  1127. 0000000077361a50 8 bytes JMP 000000016fff0d18
  1128. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  1129.  
  1130. 0000000077361b60 8 bytes JMP 000000016fff0960
  1131. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  1132.  
  1133. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  1134. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  1135.  
  1136. 0000000077361d80 8 bytes JMP 000000016fff0c70
  1137. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  1138.  
  1139. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  1140. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  1141.  
  1142. 0000000077362100 8 bytes JMP 000000016fff0ae8
  1143. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  1144.  
  1145. 0000000077362190 8 bytes JMP 000000016fff0ca8
  1146. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  1147.  
  1148. 0000000077362a00 8 bytes JMP 000000016fff0b20
  1149. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  1150.  
  1151. 0000000077362a80 8 bytes JMP 000000016fff0a08
  1152. .text C:\windows\system32\taskhost.exe[1400] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  1153.  
  1154. 0000000077362b00 8 bytes JMP 000000016fff0a40
  1155. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  1156.  
  1157. 00000000770fa420 12 bytes JMP 000000016fff01b8
  1158. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\kernel32.dll!CreateProcessW
  1159.  
  1160. 0000000077111b50 12 bytes JMP 000000016fff0148
  1161. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\kernel32.dll!CreateProcessA
  1162.  
  1163. 0000000077188810 7 bytes JMP 000000016fff0180
  1164. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1165.  
  1166. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1167. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!DeleteDC
  1168.  
  1169. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1170. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!BitBlt
  1171.  
  1172. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1173. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!MaskBlt
  1174.  
  1175. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1176. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!CreateDCW
  1177.  
  1178. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1179. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!CreateDCA
  1180.  
  1181. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1182. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!GetPixel
  1183.  
  1184. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1185. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!StretchBlt
  1186.  
  1187. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1188. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\GDI32.dll!PlgBlt
  1189.  
  1190. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1191. .text C:\windows\system32\taskhost.exe[1400] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA
  1192.  
  1193. 000007fefebfa1a0 7 bytes JMP 000007fffd0c0180
  1194. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtClose
  1195.  
  1196. 000000007750f9c0 5 bytes JMP 000000011001d120
  1197. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess
  1198.  
  1199. 000000007750fc90 5 bytes JMP 000000011002fc20
  1200. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtOpenFile
  1201.  
  1202. 000000007750fd44 5 bytes JMP 000000011002e100
  1203. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtOpenSection
  1204.  
  1205. 000000007750fda8 5 bytes JMP 000000011002ed90
  1206. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken
  1207.  
  1208. 000000007750fea0 5 bytes JMP 000000011002c3c0
  1209. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtCreateSection
  1210.  
  1211. 000000007750ff84 5 bytes JMP 000000011002e7a0
  1212. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtCreateThread
  1213.  
  1214. 000000007750ffe4 2 bytes JMP 0000000110030080
  1215. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 3
  1216.  
  1217. 000000007750ffe7 2 bytes [B2, 98]
  1218. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread
  1219.  
  1220. 0000000077510064 5 bytes JMP 000000011002fe40
  1221. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtCreateFile
  1222.  
  1223. 0000000077510094 5 bytes JMP 000000011002e400
  1224. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort
  1225.  
  1226. 0000000077510398 5 bytes JMP 000000011002cde0
  1227. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort
  1228.  
  1229. 0000000077510530 5 bytes JMP 000000011002b670
  1230. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtConnectPort
  1231.  
  1232. 0000000077510674 5 bytes JMP 000000011002f8b0
  1233. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject
  1234.  
  1235. 000000007751086c 5 bytes JMP 000000011002bfe0
  1236. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx
  1237.  
  1238. 0000000077510884 5 bytes JMP 000000011002ca40
  1239. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver
  1240.  
  1241. 0000000077510dd4 5 bytes JMP 000000011002f6a0
  1242. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject
  1243.  
  1244. 0000000077510eb8 5 bytes JMP 000000011002f220
  1245. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation
  1246.  
  1247. 0000000077511bc4 5 bytes JMP 000000011002f460
  1248. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem
  1249.  
  1250. 0000000077511c94 5 bytes JMP 000000011002c670
  1251. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl
  1252.  
  1253. 0000000077511d6c 5 bytes JMP 000000011002f020
  1254. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll
  1255.  
  1256. 000000007752c45a 5 bytes JMP 0000000110027f40
  1257. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll
  1258.  
  1259. 0000000077531217 7 bytes JMP 000000011001d240
  1260. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\kernel32.dll!CreateProcessW
  1261.  
  1262. 0000000074ff103d 5 bytes JMP 0000000110025070
  1263. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\kernel32.dll!CreateProcessA
  1264.  
  1265. 0000000074ff1072 5 bytes JMP 0000000110025c00
  1266. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW
  1267.  
  1268. 000000007501c9b5 5 bytes JMP 0000000110023ba0
  1269. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters
  1270.  
  1271. 00000000760ff776 5 bytes JMP 000000011001d270
  1272. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!PostThreadMessageW
  1273.  
  1274. 0000000075988bff 5 bytes JMP 000000011001b6e0
  1275. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SystemParametersInfoW
  1276.  
  1277. 00000000759890d3 7 bytes JMP 000000011001c470
  1278. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendMessageW
  1279.  
  1280. 0000000075989679 5 bytes JMP 000000011001b1a0
  1281. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW
  1282.  
  1283. 00000000759897d2 5 bytes JMP 000000011001ac20
  1284. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SetWinEventHook
  1285.  
  1286. 000000007598ee09 5 bytes JMP 000000011001c160
  1287. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!RegisterHotKey
  1288.  
  1289. 000000007598efc9 5 bytes JMP 0000000110018140
  1290. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!PostMessageW
  1291.  
  1292. 00000000759912a5 5 bytes JMP 000000011001bc20
  1293. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!GetKeyState
  1294.  
  1295. 000000007599291f 5 bytes JMP 00000001100193d0
  1296. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SetParent
  1297.  
  1298. 0000000075992d64 5 bytes JMP 0000000110018980
  1299. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!EnableWindow
  1300.  
  1301. 0000000075992da4 5 bytes JMP 0000000110017ea0
  1302. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!MoveWindow
  1303.  
  1304. 0000000075993698 5 bytes JMP 0000000110018c20
  1305. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!PostMessageA
  1306.  
  1307. 0000000075993baa 5 bytes JMP 000000011001bec0
  1308. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!PostThreadMessageA
  1309.  
  1310. 0000000075993c61 5 bytes JMP 000000011001b980
  1311. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendMessageA
  1312.  
  1313. 000000007599612e 5 bytes JMP 000000011001b440
  1314. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SystemParametersInfoA
  1315.  
  1316. 0000000075996c30 7 bytes JMP 000000011001c690
  1317. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SetWindowsHookExW
  1318.  
  1319. 0000000075997603 5 bytes JMP 000000011001c8b0
  1320. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendNotifyMessageW
  1321.  
  1322. 0000000075997668 5 bytes JMP 000000011001a160
  1323. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendMessageCallbackW
  1324.  
  1325. 00000000759976e0 5 bytes JMP 000000011001a6a0
  1326. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA
  1327.  
  1328. 000000007599781f 5 bytes JMP 000000011001aee0
  1329. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SetWindowsHookExA
  1330.  
  1331. 000000007599835c 5 bytes JMP 000000011001cb20
  1332. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SetClipboardViewer
  1333.  
  1334. 000000007599c4b6 5 bytes JMP 0000000110018780
  1335. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA
  1336.  
  1337. 00000000759ac112 5 bytes JMP 0000000110019eb0
  1338. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW
  1339.  
  1340. 00000000759ad0f5 5 bytes JMP 0000000110019c00
  1341. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!GetAsyncKeyState
  1342.  
  1343. 00000000759aeb96 5 bytes JMP 0000000110019120
  1344. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!GetKeyboardState
  1345.  
  1346. 00000000759aec68 5 bytes JMP 0000000110019680
  1347. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendInput
  1348.  
  1349. 00000000759aff4a 5 bytes JMP 0000000110019930
  1350. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!GetClipboardData
  1351.  
  1352. 00000000759c9f1d 5 bytes JMP 0000000110018370
  1353. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!ExitWindowsEx
  1354.  
  1355. 00000000759d1497 5 bytes JMP 0000000110017c90
  1356. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!mouse_event
  1357.  
  1358. 00000000759e027b 5 bytes JMP 00000001100297c0
  1359. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!keybd_event
  1360.  
  1361. 00000000759e02bf 5 bytes JMP 00000001100299d0
  1362. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendMessageCallbackA
  1363.  
  1364. 00000000759e6cfc 5 bytes JMP 000000011001a960
  1365. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!SendNotifyMessageA
  1366.  
  1367. 00000000759e6d5d 5 bytes JMP 000000011001a400
  1368. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!BlockInput
  1369.  
  1370. 00000000759e7dd7 5 bytes JMP 0000000110018580
  1371. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices
  1372.  
  1373. 00000000759e88eb 5 bytes JMP 0000000110018f00
  1374. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!DeleteDC
  1375.  
  1376. 0000000075fa58b3 5 bytes JMP 0000000110028d10
  1377. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!BitBlt
  1378.  
  1379. 0000000075fa5ea6 5 bytes JMP 0000000110029530
  1380. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!CreateDCA
  1381.  
  1382. 0000000075fa7bcc 5 bytes JMP 0000000110029e10
  1383. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!StretchBlt
  1384.  
  1385. 0000000075fab895 5 bytes JMP 0000000110028d50
  1386. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!MaskBlt
  1387.  
  1388. 0000000075fac332 5 bytes JMP 0000000110029280
  1389. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!GetPixel
  1390.  
  1391. 0000000075facbfb 5 bytes JMP 0000000110028ae0
  1392. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!CreateDCW
  1393.  
  1394. 0000000075fae743 5 bytes JMP 0000000110029d10
  1395. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\GDI32.dll!PlgBlt
  1396.  
  1397. 0000000075fd4646 5 bytes JMP 0000000110028ff0
  1398. .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA
  1399.  
  1400. 0000000077002538 5 bytes JMP 00000001100244d0
  1401. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  1402.  
  1403. 00000000770fa420 12 bytes JMP 000000016fff01b8
  1404. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\kernel32.dll!CreateProcessW
  1405.  
  1406. 0000000077111b50 12 bytes JMP 000000016fff0148
  1407. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\kernel32.dll!CreateProcessA
  1408.  
  1409. 0000000077188810 7 bytes JMP 000000016fff0180
  1410. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1411.  
  1412. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1413. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!DeleteDC
  1414.  
  1415. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1416. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!BitBlt
  1417.  
  1418. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1419. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!MaskBlt
  1420.  
  1421. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1422. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!CreateDCW
  1423.  
  1424. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1425. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!CreateDCA
  1426.  
  1427. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1428. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!GetPixel
  1429.  
  1430. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1431. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!StretchBlt
  1432.  
  1433. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1434. .text C:\windows\system32\svchost.exe[1720] C:\windows\system32\GDI32.dll!PlgBlt
  1435.  
  1436. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1437. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1438.  
  1439. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1440. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!DeleteDC
  1441.  
  1442. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1443. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!BitBlt
  1444.  
  1445. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1446. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!MaskBlt
  1447.  
  1448. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1449. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!CreateDCW
  1450.  
  1451. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1452. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!CreateDCA
  1453.  
  1454. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1455. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!GetPixel
  1456.  
  1457. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1458. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!StretchBlt
  1459.  
  1460. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1461. .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\GDI32.dll!PlgBlt
  1462.  
  1463. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1464. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  1465.  
  1466. 0000000077333ae0 5 bytes JMP 000000016fff0110
  1467. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  1468.  
  1469. 0000000077337a90 5 bytes JMP 000000016fff0d50
  1470. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtClose
  1471.  
  1472. 0000000077361400 8 bytes JMP 000000016fff00d8
  1473. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  1474.  
  1475. 00000000773615d0 8 bytes JMP 000000016fff0a78
  1476. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  1477.  
  1478. 0000000077361640 8 bytes JMP 000000016fff0c00
  1479. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  1480.  
  1481. 0000000077361680 8 bytes JMP 000000016fff0b90
  1482. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  1483.  
  1484. 0000000077361720 8 bytes JMP 000000016fff0c38
  1485. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  1486.  
  1487. 00000000773617b0 8 bytes JMP 000000016fff0b58
  1488. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  1489.  
  1490. 00000000773617f0 8 bytes JMP 000000016fff0998
  1491. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  1492.  
  1493. 0000000077361840 1 byte JMP 000000016fff09d0
  1494. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  1495.  
  1496. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  1497. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  1498.  
  1499. 0000000077361860 8 bytes JMP 000000016fff0bc8
  1500. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  1501.  
  1502. 0000000077361a50 8 bytes JMP 000000016fff0d18
  1503. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  1504.  
  1505. 0000000077361b60 8 bytes JMP 000000016fff0960
  1506. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  1507.  
  1508. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  1509. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  1510.  
  1511. 0000000077361d80 8 bytes JMP 000000016fff0c70
  1512. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  1513.  
  1514. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  1515. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  1516.  
  1517. 0000000077362100 8 bytes JMP 000000016fff0ae8
  1518. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  1519.  
  1520. 0000000077362190 8 bytes JMP 000000016fff0ca8
  1521. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  1522.  
  1523. 0000000077362a00 8 bytes JMP 000000016fff0b20
  1524. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  1525.  
  1526. 0000000077362a80 8 bytes JMP 000000016fff0a08
  1527. .text C:\windows\System32\rundll32.exe[2172] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  1528.  
  1529. 0000000077362b00 8 bytes JMP 000000016fff0a40
  1530. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  1531.  
  1532. 00000000770fa420 12 bytes JMP 000000016fff01b8
  1533. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\kernel32.dll!CreateProcessW
  1534.  
  1535. 0000000077111b50 12 bytes JMP 000000016fff0148
  1536. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\kernel32.dll!CreateProcessA
  1537.  
  1538. 0000000077188810 7 bytes JMP 000000016fff0180
  1539. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1540.  
  1541. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1542. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!DeleteDC
  1543.  
  1544. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1545. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!BitBlt
  1546.  
  1547. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1548. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!MaskBlt
  1549.  
  1550. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1551. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!CreateDCW
  1552.  
  1553. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1554. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!CreateDCA
  1555.  
  1556. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1557. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!GetPixel
  1558.  
  1559. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1560. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!StretchBlt
  1561.  
  1562. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1563. .text C:\windows\System32\rundll32.exe[2172] C:\windows\system32\GDI32.dll!PlgBlt
  1564.  
  1565. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1566. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1567.  
  1568. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1569. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!DeleteDC
  1570.  
  1571. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1572. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!BitBlt
  1573.  
  1574. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1575. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!MaskBlt
  1576.  
  1577. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1578. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!CreateDCW
  1579.  
  1580. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1581. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!CreateDCA
  1582.  
  1583. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1584. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!GetPixel
  1585.  
  1586. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1587. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!StretchBlt
  1588.  
  1589. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1590. .text C:\windows\system32\Dwm.exe[2724] C:\windows\system32\GDI32.dll!PlgBlt
  1591.  
  1592. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1593. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  1594.  
  1595. 0000000077333ae0 5 bytes JMP 000000016fff0110
  1596. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  1597.  
  1598. 0000000077337a90 5 bytes JMP 000000016fff0d50
  1599. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtClose
  1600.  
  1601. 0000000077361400 8 bytes JMP 000000016fff00d8
  1602. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  1603.  
  1604. 00000000773615d0 8 bytes JMP 000000016fff0a78
  1605. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  1606.  
  1607. 0000000077361640 8 bytes JMP 000000016fff0c00
  1608. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  1609.  
  1610. 0000000077361680 8 bytes JMP 000000016fff0b90
  1611. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  1612.  
  1613. 0000000077361720 8 bytes JMP 000000016fff0c38
  1614. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  1615.  
  1616. 00000000773617b0 8 bytes JMP 000000016fff0b58
  1617. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  1618.  
  1619. 00000000773617f0 8 bytes JMP 000000016fff0998
  1620. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  1621.  
  1622. 0000000077361840 1 byte JMP 000000016fff09d0
  1623. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  1624.  
  1625. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  1626. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  1627.  
  1628. 0000000077361860 8 bytes JMP 000000016fff0bc8
  1629. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  1630.  
  1631. 0000000077361a50 8 bytes JMP 000000016fff0d18
  1632. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  1633.  
  1634. 0000000077361b60 8 bytes JMP 000000016fff0960
  1635. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  1636.  
  1637. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  1638. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  1639.  
  1640. 0000000077361d80 8 bytes JMP 000000016fff0c70
  1641. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  1642.  
  1643. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  1644. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  1645.  
  1646. 0000000077362100 8 bytes JMP 000000016fff0ae8
  1647. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  1648.  
  1649. 0000000077362190 8 bytes JMP 000000016fff0ca8
  1650. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  1651.  
  1652. 0000000077362a00 8 bytes JMP 000000016fff0b20
  1653. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  1654.  
  1655. 0000000077362a80 8 bytes JMP 000000016fff0a08
  1656. .text C:\windows\Explorer.EXE[2732] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  1657.  
  1658. 0000000077362b00 8 bytes JMP 000000016fff0a40
  1659. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  1660.  
  1661. 00000000770fa420 12 bytes JMP 000000016fff01b8
  1662. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\kernel32.dll!CreateProcessW
  1663.  
  1664. 0000000077111b50 12 bytes JMP 000000016fff0148
  1665. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\kernel32.dll!CreateProcessA
  1666.  
  1667. 0000000077188810 7 bytes JMP 000000016fff0180
  1668. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1669.  
  1670. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1671. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!DeleteDC
  1672.  
  1673. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1674. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!BitBlt
  1675.  
  1676. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1677. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!MaskBlt
  1678.  
  1679. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1680. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!CreateDCW
  1681.  
  1682. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1683. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!CreateDCA
  1684.  
  1685. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1686. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!GetPixel
  1687.  
  1688. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1689. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!StretchBlt
  1690.  
  1691. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1692. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\GDI32.dll!PlgBlt
  1693.  
  1694. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1695. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!RegisterRawInputDevices
  1696.  
  1697. 0000000077216ef0 8 bytes JMP 000000016fff06f8
  1698. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SystemParametersInfoA
  1699.  
  1700. 0000000077218184 7 bytes JMP 000000016fff0880
  1701. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SetParent
  1702.  
  1703. 0000000077218530 8 bytes JMP 000000016fff0730
  1704. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!PostMessageA
  1705.  
  1706. 000000007721a404 5 bytes JMP 000000016fff0308
  1707. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!EnableWindow
  1708.  
  1709. 000000007721aaa0 9 bytes JMP 000000016fff08f0
  1710. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!MoveWindow
  1711.  
  1712. 000000007721aad0 8 bytes JMP 000000016fff0768
  1713. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!GetAsyncKeyState
  1714.  
  1715. 000000007721c720 5 bytes JMP 000000016fff06c0
  1716. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!RegisterHotKey
  1717.  
  1718. 000000007721cd50 8 bytes JMP 000000016fff0848
  1719. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!PostThreadMessageA
  1720.  
  1721. 000000007721d2b0 5 bytes JMP 000000016fff0378
  1722. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendMessageA
  1723.  
  1724. 000000007721d338 5 bytes JMP 000000016fff03e8
  1725. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendNotifyMessageW
  1726.  
  1727. 000000007721dc40 9 bytes JMP 000000016fff0570
  1728. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SystemParametersInfoW
  1729.  
  1730. 000000007721f510 7 bytes JMP 000000016fff08b8
  1731. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SetWindowsHookExW
  1732.  
  1733. 000000007721f874 9 bytes JMP 000000016fff0298
  1734. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendMessageTimeoutW
  1735.  
  1736. 000000007721fac0 9 bytes JMP 000000016fff0490
  1737. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!PostThreadMessageW
  1738.  
  1739. 0000000077220b74 10 bytes JMP 000000016fff03b0
  1740. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SetWinEventHook
  1741.  
  1742. 0000000077224d4c 5 bytes JMP 000000016fff02d0
  1743. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!GetKeyState
  1744.  
  1745. 0000000077225010 5 bytes JMP 000000016fff0688
  1746. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendMessageCallbackW
  1747.  
  1748. 0000000077225438 7 bytes JMP 000000016fff0500
  1749. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendMessageW
  1750.  
  1751. 0000000077226b50 5 bytes JMP 000000016fff0420
  1752. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!PostMessageW
  1753.  
  1754. 00000000772276e4 7 bytes JMP 000000016fff0340
  1755. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendDlgItemMessageW
  1756.  
  1757. 000000007722dd90 5 bytes JMP 000000016fff05e0
  1758. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!GetClipboardData
  1759.  
  1760. 000000007722e874 5 bytes JMP 000000016fff0810
  1761. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SetClipboardViewer
  1762.  
  1763. 000000007722f780 8 bytes JMP 000000016fff07a0
  1764. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendNotifyMessageA
  1765.  
  1766. 00000000772328e4 12 bytes JMP 000000016fff0538
  1767. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!mouse_event
  1768.  
  1769. 0000000077233894 7 bytes JMP 000000016fff0228
  1770. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!GetKeyboardState
  1771.  
  1772. 0000000077238a10 8 bytes JMP 000000016fff0650
  1773. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendMessageTimeoutA
  1774.  
  1775. 0000000077238be0 12 bytes JMP 000000016fff0458
  1776. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SetWindowsHookExA
  1777.  
  1778. 0000000077238c20 12 bytes JMP 000000016fff0260
  1779. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendInput
  1780.  
  1781. 0000000077238cd0 8 bytes JMP 000000016fff0618
  1782. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!BlockInput
  1783.  
  1784. 000000007723ad60 8 bytes JMP 000000016fff07d8
  1785. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!ExitWindowsEx
  1786.  
  1787. 00000000772614e0 5 bytes JMP 000000016fff0928
  1788. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!keybd_event
  1789.  
  1790. 00000000772845a4 7 bytes JMP 000000016fff01f0
  1791. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendDlgItemMessageA
  1792.  
  1793. 000000007728cc08 5 bytes JMP 000000016fff05a8
  1794. .text C:\windows\Explorer.EXE[2732] C:\windows\system32\USER32.dll!SendMessageCallbackA
  1795.  
  1796. 000000007728df18 7 bytes JMP 000000016fff04c8
  1797. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1798.  
  1799. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1800. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!DeleteDC
  1801.  
  1802. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  1803. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!BitBlt
  1804.  
  1805. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  1806. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!MaskBlt
  1807.  
  1808. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  1809. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!CreateDCW
  1810.  
  1811. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  1812. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!CreateDCA
  1813.  
  1814. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  1815. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!GetPixel
  1816.  
  1817. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  1818. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!StretchBlt
  1819.  
  1820. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  1821. .text C:\windows\system32\svchost.exe[2856] C:\windows\system32\GDI32.dll!PlgBlt
  1822.  
  1823. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  1824. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  1825.  
  1826. 0000000077333ae0 5 bytes JMP 000000016fff0110
  1827. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  1828.  
  1829. 0000000077337a90 5 bytes JMP 000000016fff0d50
  1830. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtClose
  1831.  
  1832. 0000000077361400 8 bytes JMP 000000016fff00d8
  1833. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  1834.  
  1835. 00000000773615d0 8 bytes JMP 000000016fff0a78
  1836. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  1837.  
  1838. 0000000077361640 8 bytes JMP 000000016fff0c00
  1839. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  1840.  
  1841. 0000000077361680 8 bytes JMP 000000016fff0b90
  1842. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  1843.  
  1844. 0000000077361720 8 bytes JMP 000000016fff0c38
  1845. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  1846.  
  1847. 00000000773617b0 8 bytes JMP 000000016fff0b58
  1848. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  1849.  
  1850. 00000000773617f0 8 bytes JMP 000000016fff0998
  1851. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  1852.  
  1853. 0000000077361840 1 byte JMP 000000016fff09d0
  1854. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  1855.  
  1856. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  1857. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  1858.  
  1859. 0000000077361860 8 bytes JMP 000000016fff0bc8
  1860. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  1861.  
  1862. 0000000077361a50 8 bytes JMP 000000016fff0d18
  1863. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  1864.  
  1865. 0000000077361b60 8 bytes JMP 000000016fff0960
  1866. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  1867.  
  1868. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  1869. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  1870.  
  1871. 0000000077361d80 8 bytes JMP 000000016fff0c70
  1872. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  1873.  
  1874. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  1875. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  1876.  
  1877. 0000000077362100 8 bytes JMP 000000016fff0ae8
  1878. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  1879.  
  1880. 0000000077362190 8 bytes JMP 000000016fff0ca8
  1881. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  1882.  
  1883. 0000000077362a00 8 bytes JMP 000000016fff0b20
  1884. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  1885.  
  1886. 0000000077362a80 8 bytes JMP 000000016fff0a08
  1887. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  1888.  
  1889. 0000000077362b00 8 bytes JMP 000000016fff0a40
  1890. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\system32\kernel32.dll!CreateProcessAsUserW
  1891.  
  1892. 00000000770fa420 12 bytes JMP 000000016fff01b8
  1893. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\system32\kernel32.dll!CreateProcessW
  1894.  
  1895. 0000000077111b50 12 bytes JMP 000000016fff0148
  1896. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\system32\kernel32.dll!CreateProcessA
  1897.  
  1898. 0000000077188810 7 bytes JMP 000000016fff0180
  1899. .text C:\windows\system32\SearchIndexer.exe[2968] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  1900.  
  1901. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  1902. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtClose
  1903.  
  1904. 000000007750f9c0 5 bytes JMP 000000011001d120
  1905. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess
  1906.  
  1907. 000000007750fc90 5 bytes JMP 000000011002fc20
  1908. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtOpenFile
  1909.  
  1910. 000000007750fd44 5 bytes JMP 000000011002e100
  1911. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtOpenSection
  1912.  
  1913. 000000007750fda8 5 bytes JMP 000000011002ed90
  1914. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken
  1915.  
  1916. 000000007750fea0 5 bytes JMP 000000011002c3c0
  1917. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtCreateSection
  1918.  
  1919. 000000007750ff84 5 bytes JMP 000000011002e7a0
  1920. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtCreateThread
  1921.  
  1922. 000000007750ffe4 2 bytes JMP 0000000110030080
  1923. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 3
  1924.  
  1925. 000000007750ffe7 2 bytes [B2, 98]
  1926. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread
  1927.  
  1928. 0000000077510064 5 bytes JMP 000000011002fe40
  1929. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtCreateFile
  1930.  
  1931. 0000000077510094 5 bytes JMP 000000011002e400
  1932. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort
  1933.  
  1934. 0000000077510398 5 bytes JMP 000000011002cde0
  1935. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort
  1936.  
  1937. 0000000077510530 5 bytes JMP 000000011002b670
  1938. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtConnectPort
  1939.  
  1940. 0000000077510674 5 bytes JMP 000000011002f8b0
  1941. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject
  1942.  
  1943. 000000007751086c 5 bytes JMP 000000011002bfe0
  1944. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx
  1945.  
  1946. 0000000077510884 5 bytes JMP 000000011002ca40
  1947. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver
  1948.  
  1949. 0000000077510dd4 5 bytes JMP 000000011002f6a0
  1950. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject
  1951.  
  1952. 0000000077510eb8 5 bytes JMP 000000011002f220
  1953. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation
  1954.  
  1955. 0000000077511bc4 5 bytes JMP 000000011002f460
  1956. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem
  1957.  
  1958. 0000000077511c94 5 bytes JMP 000000011002c670
  1959. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl
  1960.  
  1961. 0000000077511d6c 5 bytes JMP 000000011002f020
  1962. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll
  1963.  
  1964. 000000007752c45a 5 bytes JMP 0000000110027f40
  1965. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll
  1966.  
  1967. 0000000077531217 7 bytes JMP 000000011001d240
  1968. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\kernel32.dll!CreateProcessW
  1969.  
  1970. 0000000074ff103d 5 bytes JMP 0000000110025070
  1971. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\kernel32.dll!CreateProcessA
  1972.  
  1973. 0000000074ff1072 5 bytes JMP 0000000110025c00
  1974. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW
  1975.  
  1976. 000000007501c9b5 5 bytes JMP 0000000110023ba0
  1977. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters
  1978.  
  1979. 00000000760ff776 5 bytes JMP 000000011001d270
  1980. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!PostThreadMessageW
  1981.  
  1982. 0000000075988bff 5 bytes JMP 000000011001b6e0
  1983. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SystemParametersInfoW
  1984.  
  1985. 00000000759890d3 7 bytes JMP 000000011001c470
  1986. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendMessageW
  1987.  
  1988. 0000000075989679 5 bytes JMP 000000011001b1a0
  1989. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW
  1990.  
  1991. 00000000759897d2 5 bytes JMP 000000011001ac20
  1992. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SetWinEventHook
  1993.  
  1994. 000000007598ee09 5 bytes JMP 000000011001c160
  1995. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!RegisterHotKey
  1996.  
  1997. 000000007598efc9 5 bytes JMP 0000000110018140
  1998. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!PostMessageW
  1999.  
  2000. 00000000759912a5 5 bytes JMP 000000011001bc20
  2001. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!GetKeyState
  2002.  
  2003. 000000007599291f 5 bytes JMP 00000001100193d0
  2004. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SetParent
  2005.  
  2006. 0000000075992d64 5 bytes JMP 0000000110018980
  2007. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!EnableWindow
  2008.  
  2009. 0000000075992da4 5 bytes JMP 0000000110017ea0
  2010. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!MoveWindow
  2011.  
  2012. 0000000075993698 5 bytes JMP 0000000110018c20
  2013. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!PostMessageA
  2014.  
  2015. 0000000075993baa 5 bytes JMP 000000011001bec0
  2016. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!PostThreadMessageA
  2017.  
  2018. 0000000075993c61 5 bytes JMP 000000011001b980
  2019. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendMessageA
  2020.  
  2021. 000000007599612e 5 bytes JMP 000000011001b440
  2022. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SystemParametersInfoA
  2023.  
  2024. 0000000075996c30 7 bytes JMP 000000011001c690
  2025. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SetWindowsHookExW
  2026.  
  2027. 0000000075997603 5 bytes JMP 000000011001c8b0
  2028. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendNotifyMessageW
  2029.  
  2030. 0000000075997668 5 bytes JMP 000000011001a160
  2031. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendMessageCallbackW
  2032.  
  2033. 00000000759976e0 5 bytes JMP 000000011001a6a0
  2034. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA
  2035.  
  2036. 000000007599781f 5 bytes JMP 000000011001aee0
  2037. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SetWindowsHookExA
  2038.  
  2039. 000000007599835c 5 bytes JMP 000000011001cb20
  2040. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SetClipboardViewer
  2041.  
  2042. 000000007599c4b6 5 bytes JMP 0000000110018780
  2043. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA
  2044.  
  2045. 00000000759ac112 5 bytes JMP 0000000110019eb0
  2046. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW
  2047.  
  2048. 00000000759ad0f5 5 bytes JMP 0000000110019c00
  2049. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!GetAsyncKeyState
  2050.  
  2051. 00000000759aeb96 5 bytes JMP 0000000110019120
  2052. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!GetKeyboardState
  2053.  
  2054. 00000000759aec68 5 bytes JMP 0000000110019680
  2055. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendInput
  2056.  
  2057. 00000000759aff4a 5 bytes JMP 0000000110019930
  2058. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!GetClipboardData
  2059.  
  2060. 00000000759c9f1d 5 bytes JMP 0000000110018370
  2061. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!ExitWindowsEx
  2062.  
  2063. 00000000759d1497 5 bytes JMP 0000000110017c90
  2064. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!mouse_event
  2065.  
  2066. 00000000759e027b 5 bytes JMP 00000001100297c0
  2067. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!keybd_event
  2068.  
  2069. 00000000759e02bf 5 bytes JMP 00000001100299d0
  2070. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendMessageCallbackA
  2071.  
  2072. 00000000759e6cfc 5 bytes JMP 000000011001a960
  2073. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!SendNotifyMessageA
  2074.  
  2075. 00000000759e6d5d 5 bytes JMP 000000011001a400
  2076. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!BlockInput
  2077.  
  2078. 00000000759e7dd7 5 bytes JMP 0000000110018580
  2079. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices
  2080.  
  2081. 00000000759e88eb 5 bytes JMP 0000000110018f00
  2082. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!DeleteDC
  2083.  
  2084. 0000000075fa58b3 5 bytes JMP 0000000110028d10
  2085. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!BitBlt
  2086.  
  2087. 0000000075fa5ea6 5 bytes JMP 0000000110029530
  2088. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!CreateDCA
  2089.  
  2090. 0000000075fa7bcc 5 bytes JMP 0000000110029e10
  2091. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!StretchBlt
  2092.  
  2093. 0000000075fab895 5 bytes JMP 0000000110028d50
  2094. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!MaskBlt
  2095.  
  2096. 0000000075fac332 5 bytes JMP 0000000110029280
  2097. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!GetPixel
  2098.  
  2099. 0000000075facbfb 5 bytes JMP 0000000110028ae0
  2100. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!CreateDCW
  2101.  
  2102. 0000000075fae743 5 bytes JMP 0000000110029d10
  2103. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\GDI32.dll!PlgBlt
  2104.  
  2105. 0000000075fd4646 5 bytes JMP 0000000110028ff0
  2106. .text C:\Users\jane \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3044] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA
  2107.  
  2108. 0000000077002538 5 bytes JMP 00000001100244d0
  2109. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtClose
  2110.  
  2111. 000000007750f9c0 5 bytes JMP 000000011001d120
  2112. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess
  2113.  
  2114. 000000007750fc90 5 bytes JMP 000000011002fc20
  2115. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtOpenFile
  2116.  
  2117. 000000007750fd44 5 bytes JMP 000000011002e100
  2118. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtOpenSection
  2119.  
  2120. 000000007750fda8 5 bytes JMP 000000011002ed90
  2121. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken
  2122.  
  2123. 000000007750fea0 5 bytes JMP 000000011002c3c0
  2124. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtCreateSection
  2125.  
  2126. 000000007750ff84 5 bytes JMP 000000011002e7a0
  2127. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtCreateThread
  2128.  
  2129. 000000007750ffe4 2 bytes JMP 0000000110030080
  2130. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 3
  2131.  
  2132. 000000007750ffe7 2 bytes [B2, 98]
  2133. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread
  2134.  
  2135. 0000000077510064 5 bytes JMP 000000011002fe40
  2136. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtCreateFile
  2137.  
  2138. 0000000077510094 5 bytes JMP 000000011002e400
  2139. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort
  2140.  
  2141. 0000000077510398 5 bytes JMP 000000011002cde0
  2142. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort
  2143.  
  2144. 0000000077510530 5 bytes JMP 000000011002b670
  2145. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtConnectPort
  2146.  
  2147. 0000000077510674 5 bytes JMP 000000011002f8b0
  2148. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject
  2149.  
  2150. 000000007751086c 5 bytes JMP 000000011002bfe0
  2151. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx
  2152.  
  2153. 0000000077510884 5 bytes JMP 000000011002ca40
  2154. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver
  2155.  
  2156. 0000000077510dd4 5 bytes JMP 000000011002f6a0
  2157. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject
  2158.  
  2159. 0000000077510eb8 5 bytes JMP 000000011002f220
  2160. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation
  2161.  
  2162. 0000000077511bc4 5 bytes JMP 000000011002f460
  2163. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem
  2164.  
  2165. 0000000077511c94 5 bytes JMP 000000011002c670
  2166. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl
  2167.  
  2168. 0000000077511d6c 5 bytes JMP 000000011002f020
  2169. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll
  2170.  
  2171. 000000007752c45a 5 bytes JMP 0000000110027f40
  2172. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll
  2173.  
  2174. 0000000077531217 7 bytes JMP 000000011001d240
  2175. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\kernel32.dll!CreateProcessW
  2176.  
  2177. 0000000074ff103d 5 bytes JMP 0000000110025070
  2178. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\kernel32.dll!CreateProcessA
  2179.  
  2180. 0000000074ff1072 5 bytes JMP 0000000110025c00
  2181. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW
  2182.  
  2183. 000000007501c9b5 5 bytes JMP 0000000110023ba0
  2184. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters
  2185.  
  2186. 00000000760ff776 5 bytes JMP 000000011001d270
  2187. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!DeleteDC
  2188.  
  2189. 0000000075fa58b3 5 bytes JMP 0000000110028d10
  2190. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!BitBlt
  2191.  
  2192. 0000000075fa5ea6 5 bytes JMP 0000000110029530
  2193. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!CreateDCA
  2194.  
  2195. 0000000075fa7bcc 5 bytes JMP 0000000110029e10
  2196. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!StretchBlt
  2197.  
  2198. 0000000075fab895 5 bytes JMP 0000000110028d50
  2199. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!MaskBlt
  2200.  
  2201. 0000000075fac332 5 bytes JMP 0000000110029280
  2202. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!GetPixel
  2203.  
  2204. 0000000075facbfb 5 bytes JMP 0000000110028ae0
  2205. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!CreateDCW
  2206.  
  2207. 0000000075fae743 5 bytes JMP 0000000110029d10
  2208. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\GDI32.dll!PlgBlt
  2209.  
  2210. 0000000075fd4646 5 bytes JMP 0000000110028ff0
  2211. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!PostThreadMessageW
  2212.  
  2213. 0000000075988bff 5 bytes JMP 000000011001b6e0
  2214. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SystemParametersInfoW
  2215.  
  2216. 00000000759890d3 7 bytes JMP 000000011001c470
  2217. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendMessageW
  2218.  
  2219. 0000000075989679 5 bytes JMP 000000011001b1a0
  2220. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW
  2221.  
  2222. 00000000759897d2 5 bytes JMP 000000011001ac20
  2223. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SetWinEventHook
  2224.  
  2225. 000000007598ee09 5 bytes JMP 000000011001c160
  2226. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!RegisterHotKey
  2227.  
  2228. 000000007598efc9 5 bytes JMP 0000000110018140
  2229. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!PostMessageW
  2230.  
  2231. 00000000759912a5 5 bytes JMP 000000011001bc20
  2232. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!GetKeyState
  2233.  
  2234. 000000007599291f 5 bytes JMP 00000001100193d0
  2235. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SetParent
  2236.  
  2237. 0000000075992d64 5 bytes JMP 0000000110018980
  2238. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!EnableWindow
  2239.  
  2240. 0000000075992da4 5 bytes JMP 0000000110017ea0
  2241. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!MoveWindow
  2242.  
  2243. 0000000075993698 5 bytes JMP 0000000110018c20
  2244. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!PostMessageA
  2245.  
  2246. 0000000075993baa 5 bytes JMP 000000011001bec0
  2247. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!PostThreadMessageA
  2248.  
  2249. 0000000075993c61 5 bytes JMP 000000011001b980
  2250. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendMessageA
  2251.  
  2252. 000000007599612e 5 bytes JMP 000000011001b440
  2253. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SystemParametersInfoA
  2254.  
  2255. 0000000075996c30 7 bytes JMP 000000011001c690
  2256. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SetWindowsHookExW
  2257.  
  2258. 0000000075997603 5 bytes JMP 000000011001c8b0
  2259. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendNotifyMessageW
  2260.  
  2261. 0000000075997668 5 bytes JMP 000000011001a160
  2262. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendMessageCallbackW
  2263.  
  2264. 00000000759976e0 5 bytes JMP 000000011001a6a0
  2265. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA
  2266.  
  2267. 000000007599781f 5 bytes JMP 000000011001aee0
  2268. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SetWindowsHookExA
  2269.  
  2270. 000000007599835c 5 bytes JMP 000000011001cb20
  2271. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SetClipboardViewer
  2272.  
  2273. 000000007599c4b6 5 bytes JMP 0000000110018780
  2274. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA
  2275.  
  2276. 00000000759ac112 5 bytes JMP 0000000110019eb0
  2277. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW
  2278.  
  2279. 00000000759ad0f5 5 bytes JMP 0000000110019c00
  2280. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!GetAsyncKeyState
  2281.  
  2282. 00000000759aeb96 5 bytes JMP 0000000110019120
  2283. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!GetKeyboardState
  2284.  
  2285. 00000000759aec68 5 bytes JMP 0000000110019680
  2286. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendInput
  2287.  
  2288. 00000000759aff4a 5 bytes JMP 0000000110019930
  2289. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!GetClipboardData
  2290.  
  2291. 00000000759c9f1d 5 bytes JMP 0000000110018370
  2292. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!ExitWindowsEx
  2293.  
  2294. 00000000759d1497 5 bytes JMP 0000000110017c90
  2295. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!mouse_event
  2296.  
  2297. 00000000759e027b 5 bytes JMP 00000001100297c0
  2298. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!keybd_event
  2299.  
  2300. 00000000759e02bf 5 bytes JMP 00000001100299d0
  2301. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendMessageCallbackA
  2302.  
  2303. 00000000759e6cfc 5 bytes JMP 000000011001a960
  2304. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!SendNotifyMessageA
  2305.  
  2306. 00000000759e6d5d 5 bytes JMP 000000011001a400
  2307. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!BlockInput
  2308.  
  2309. 00000000759e7dd7 5 bytes JMP 0000000110018580
  2310. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices
  2311.  
  2312. 00000000759e88eb 5 bytes JMP 0000000110018f00
  2313. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA
  2314.  
  2315. 0000000077002538 5 bytes JMP 00000001100244d0
  2316. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69
  2317.  
  2318. 00000000774c1465 2 bytes [4C, 77]
  2319. .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2460] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155
  2320.  
  2321. 00000000774c14bb 2 bytes [4C, 77]
  2322. .text ...
  2323.  
  2324. * 2
  2325. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll
  2326.  
  2327. 0000000077333ae0 5 bytes JMP 000000016fff0110
  2328. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll
  2329.  
  2330. 0000000077337a90 5 bytes JMP 000000016fff0d50
  2331. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtClose
  2332.  
  2333. 0000000077361400 8 bytes JMP 000000016fff00d8
  2334. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess
  2335.  
  2336. 00000000773615d0 8 bytes JMP 000000016fff0a78
  2337. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile
  2338.  
  2339. 0000000077361640 8 bytes JMP 000000016fff0c00
  2340. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection
  2341.  
  2342. 0000000077361680 8 bytes JMP 000000016fff0b90
  2343. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken
  2344.  
  2345. 0000000077361720 8 bytes JMP 000000016fff0c38
  2346. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection
  2347.  
  2348. 00000000773617b0 8 bytes JMP 000000016fff0b58
  2349. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread
  2350.  
  2351. 00000000773617f0 8 bytes JMP 000000016fff0998
  2352. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread
  2353.  
  2354. 0000000077361840 1 byte JMP 000000016fff09d0
  2355. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2
  2356.  
  2357. 0000000077361842 6 bytes {JMP 0xfffffffff8c8f190}
  2358. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile
  2359.  
  2360. 0000000077361860 8 bytes JMP 000000016fff0bc8
  2361. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort
  2362.  
  2363. 0000000077361a50 8 bytes JMP 000000016fff0d18
  2364. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort
  2365.  
  2366. 0000000077361b60 8 bytes JMP 000000016fff0960
  2367. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort
  2368.  
  2369. 0000000077361c30 8 bytes JMP 000000016fff0ab0
  2370. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject
  2371.  
  2372. 0000000077361d80 8 bytes JMP 000000016fff0c70
  2373. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx
  2374.  
  2375. 0000000077361d90 8 bytes JMP 000000016fff0ce0
  2376. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver
  2377.  
  2378. 0000000077362100 8 bytes JMP 000000016fff0ae8
  2379. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject
  2380.  
  2381. 0000000077362190 8 bytes JMP 000000016fff0ca8
  2382. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation
  2383.  
  2384. 0000000077362a00 8 bytes JMP 000000016fff0b20
  2385. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem
  2386.  
  2387. 0000000077362a80 8 bytes JMP 000000016fff0a08
  2388. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl
  2389.  
  2390. 0000000077362b00 8 bytes JMP 000000016fff0a40
  2391. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW
  2392.  
  2393. 00000000770fa420 12 bytes JMP 000000016fff01b8
  2394. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\KERNEL32.dll!CreateProcessW
  2395.  
  2396. 0000000077111b50 12 bytes JMP 000000016fff0148
  2397. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\KERNEL32.dll!CreateProcessA
  2398.  
  2399. 0000000077188810 7 bytes JMP 000000016fff0180
  2400. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  2401.  
  2402. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  2403. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!DeleteDC
  2404.  
  2405. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  2406. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!BitBlt
  2407.  
  2408. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  2409. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!MaskBlt
  2410.  
  2411. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  2412. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!CreateDCW
  2413.  
  2414. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  2415. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!CreateDCA
  2416.  
  2417. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  2418. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!GetPixel
  2419.  
  2420. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  2421. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!StretchBlt
  2422.  
  2423. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  2424. .text C:\Program Files (x86)\EMET\EMET_notifier.exe[2524] C:\windows\system32\GDI32.dll!PlgBlt
  2425.  
  2426. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  2427. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters
  2428.  
  2429. 000007fefd305290 7 bytes JMP 000007fffd0c0148
  2430. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA
  2431.  
  2432. 000007fefebfa1a0 7 bytes JMP 000007fffd0c0180
  2433. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!DeleteDC
  2434.  
  2435. 000007fefe3522cc 5 bytes JMP 000007fffd0c0260
  2436. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!BitBlt
  2437.  
  2438. 000007fefe3524c0 5 bytes JMP 000007fffd0c0298
  2439. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!MaskBlt
  2440.  
  2441. 000007fefe355be0 5 bytes JMP 000007fffd0c02d0
  2442. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!CreateDCW
  2443.  
  2444. 000007fefe358398 9 bytes JMP 000007fffd0c01f0
  2445. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!CreateDCA
  2446.  
  2447. 000007fefe3589c8 9 bytes JMP 000007fffd0c01b8
  2448. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!GetPixel
  2449.  
  2450. 000007fefe359344 5 bytes JMP 000007fffd0c0228
  2451. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!StretchBlt
  2452.  
  2453. 000007fefe35b9e8 5 bytes JMP 000007fffd0c0340
  2454. .text C:\windows\system32\wbem\wmiprvse.exe[1864] C:\windows\system32\GDI32.dll!PlgBlt
  2455.  
  2456. 000007fefe365410 5 bytes JMP 000007fffd0c0308
  2457.  
  2458. ---- User IAT/EAT - GMER 2.1 ----
  2459.  
  2460. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!_initterm]
  2461.  
  2462. [5f20c48348482474]
  2463. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!free]
  2464.  
  2465. [ccccccccccccccc3]
  2466. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!malloc]
  2467.  
  2468. [6c894808245c8948]
  2469. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!_unlock]
  2470.  
  2471. [8966da8b48ff33c0]
  2472. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!__dllonexit]
  2473.  
  2474. [222444894820247c]
  2475. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!_XcptFilter]
  2476.  
  2477. [244489662a244489]
  2478. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!??3@YAXPEAX@Z]
  2479.  
  2480. [7a890574d73b482e]
  2481. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!_amsg_exit]
  2482.  
  2483. [23fe158d483a8904]
  2484. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!??_U@YAPEAX_K@Z]
  2485.  
  2486. [4cffffb763e8ffff]
  2487. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!??_V@YAXPEAX@Z]
  2488.  
  2489. [b80a75c73b48d88b]
  2490. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!_purecall]
  2491.  
  2492. [123e980070057]
  2493. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[msvcrt.dll!wcschr]
  2494.  
  2495. [8d482024448d4c00]
  2496. [snip]
  2497. IAT C:\windows\Explorer.EXE[2732] @ C:\windows\System32\shacct.dll[KERNEL32.dll!LocalAlloc]
  2498.  
  2499. [1774ed851b78c085]
  2500.  
  2501.  
  2502. <<<[IAT HOOKS FOR COMODO INTERNET SECURITY TRUNCATED FOR BREVITY]>>>
  2503.  
  2504.  
  2505. ---- Devices - GMER 2.1 ----
  2506.  
  2507. Device \FileSystem\fastfat \Fat
  2508.  
  2509. fffff880081d4718
  2510. Device \Driver\WudfPf \Device\WUDFLpcDevice
  2511.  
  2512. fffff88008037910
  2513. Device \Driver\USBSTOR -> DriverStartIo \Device\00000086
  2514.  
  2515. fffff880081ac9c4
  2516. Device \Driver\USBSTOR \Device\00000086
  2517.  
  2518. fffff880081be578
  2519. Device \Driver\WudfPf \Device\ProcessManagement
  2520.  
  2521. fffff88008037910
  2522. Device \Driver\USBSTOR -> DriverStartIo \Device\00000087
  2523.  
  2524. fffff880081ac9c4
  2525. Device \Driver\USBSTOR \Device\00000087
  2526.  
  2527. fffff880081be578
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!