GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-28 00:29:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: 074kdi2q.exe; Driver: C:\Users\Golo\AppData\Local\Temp\aftcraod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077391360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077391560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077391360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077391560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[684] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee33e80 6 bytes {JMP QWORD [RIP+0x13c1b0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefcf850a0 6 bytes JMP 9b3 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077246ef0 6 bytes {JMP QWORD [RIP+0x9199140]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077248184 6 bytes {JMP QWORD [RIP+0x9277eac]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetParent 0000000077248530 6 bytes {JMP QWORD [RIP+0x91b7b00]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077249bcc 6 bytes {JMP QWORD [RIP+0x8f16464]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!PostMessageA 000000007724a404 6 bytes {JMP QWORD [RIP+0x8f55c2c]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!EnableWindow 000000007724aaa0 6 bytes {JMP QWORD [RIP+0x92b5590]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!MoveWindow 000000007724aad0 6 bytes {JMP QWORD [RIP+0x91d5560]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007724c720 6 bytes {JMP QWORD [RIP+0x9173910]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007724cd50 6 bytes {JMP QWORD [RIP+0x92532e0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007724d2b0 6 bytes {JMP QWORD [RIP+0x8f92d80]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendMessageA 000000007724d338 6 bytes {JMP QWORD [RIP+0x8fd2cf8]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007724dc40 6 bytes {JMP QWORD [RIP+0x90b23f0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007724f510 6 bytes {JMP QWORD [RIP+0x9290b20]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007724f874 6 bytes {JMP QWORD [RIP+0x8ed07bc]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007724fac0 6 bytes {JMP QWORD [RIP+0x9030570]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077250b74 6 bytes {JMP QWORD [RIP+0x8faf4bc]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772533b0 6 bytes {JMP QWORD [RIP+0x8f2cc80]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077254d4d 5 bytes {JMP QWORD [RIP+0x8eeb2e4]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!GetKeyState 0000000077255010 6 bytes {JMP QWORD [RIP+0x914b020]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077255438 6 bytes {JMP QWORD [RIP+0x906abf8]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendMessageW 0000000077256b50 6 bytes {JMP QWORD [RIP+0x8fe94e0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!PostMessageW 00000000772576e4 6 bytes {JMP QWORD [RIP+0x8f6894c]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007725dd90 6 bytes {JMP QWORD [RIP+0x90e22a0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!GetClipboardData 000000007725e874 6 bytes {JMP QWORD [RIP+0x92217bc]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007725f780 6 bytes {JMP QWORD [RIP+0x91e08b0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772628e4 6 bytes {JMP QWORD [RIP+0x907d74c]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!mouse_event 0000000077263894 6 bytes {JMP QWORD [RIP+0x8e7c79c]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077268a10 6 bytes {JMP QWORD [RIP+0x9117620]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077268be0 6 bytes {JMP QWORD [RIP+0x8ff7450]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077268c20 6 bytes {JMP QWORD [RIP+0x8e97410]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendInput 0000000077268cd0 6 bytes {JMP QWORD [RIP+0x90f7360]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!BlockInput 000000007726ad60 6 bytes {JMP QWORD [RIP+0x91f52d0]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772914e0 6 bytes {JMP QWORD [RIP+0x928eb50]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!keybd_event 00000000772b45a4 6 bytes {JMP QWORD [RIP+0x8e0ba8c]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000772bcc08 6 bytes {JMP QWORD [RIP+0x9063428]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000772bdf18 6 bytes {JMP QWORD [RIP+0x8fe2118]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes JMP 0 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\lsass.exe[700] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\lsm.exe[708] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012a50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee33e80 6 bytes {JMP QWORD [RIP+0x13c1b0]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[856] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000011c50a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007753f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007753f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007753fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007753fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007753fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007753fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007753fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007753fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007753fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007753fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007753ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007753ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077540004 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077540008 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077540084 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077540088 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775400b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775400b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775403b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775403bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077540550 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077540554 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077540694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077540698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007754088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077540890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775408a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775408a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077540df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077540df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077540ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077540edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077541be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077541be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077541cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077541cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077541d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077541d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077561287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769cc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dbf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dc2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f6124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076882538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765a5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765ab895 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765ac332 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765d4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f08332 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f08bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f09679 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f0ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f0efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f0efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f1291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f12d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f12d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f12da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f13698 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f1369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f13baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f13c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f16110 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f1612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f16c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f17603 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f17668 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f1781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f1835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f1c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f1c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076f2c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076f2d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076f2eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076f2ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076f2ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendInput 0000000076f2ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076f2ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076f49f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076f51497 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076f6027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076f66cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076f66d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076f67dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076f67ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076f688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076f688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c41465 2 bytes [C4, 75] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c414bb 2 bytes [C4, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee33e80 6 bytes JMP d45190 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 699 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011650a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000012250a0 6 bytes JMP 9b3 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes JMP 2e0039 .text C:\Windows\System32\svchost.exe[588] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000012250a0 6 bytes JMP 9b3 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes JMP 250025 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes JMP 9f3c7b1 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes JMP 50035 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes JMP 2281 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes JMP 5d2ff61 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes JMP ac01 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes JMP 92c7ae8 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes JMP 8bfbd20 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes JMP 500050 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes JMP e3881 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes JMP 891df70 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes JMP 8957090 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes JMP 40004 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes JMP 8caafd1 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes JMP 590052 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes JMP 2afa481 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes JMP e40201 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes JMP 2a3f481 .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes JMP 6208429 .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes JMP 43004c .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes JMP 5d7c1b9 .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes JMP 6f2d .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 51716c11 .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\System32\svchost.exe[504] C:\Windows\System32\SspiCli.dll!EncryptMessage 00000000012150a0 6 bytes {JMP QWORD [RIP+0x11af90]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012950a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee33e80 6 bytes {JMP QWORD [RIP+0x13c1b0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes JMP 6f2d .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 51716c11 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes {JMP QWORD [RIP+0xc05e0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010d50a0 6 bytes {JMP QWORD [RIP+0x18af90]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 08] .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0x2ddd64]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x2fdb70]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x31a440]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0x297c98]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x277658]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0x2b6cec]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x354638]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x333750]} .text C:\Windows\System32\spoolsv.exe[1412] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000025450a0 6 bytes {JMP QWORD [RIP+0x14af90]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee33e80 6 bytes {JMP QWORD [RIP+0x13c1b0]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes JMP 2e0039 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 79000026 .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes JMP a5f450b .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000028a50a0 6 bytes {JMP QWORD [RIP+0x21af90]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\Dwm.exe[1692] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 61004300 .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 30] .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0x112dd64]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x114db70]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x116a440]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0x10e7c98]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x10c7658]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 4 bytes [FF, 25, EC, 6C] .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!GetPixel + 5 000007fefd939349 1 byte [01] .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x11a4638]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x1183750]} .text C:\Windows\Explorer.EXE[1776] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefcf850a0 6 bytes JMP 9b3 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007753f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007753f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007753fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007753fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007753fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007753fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007753fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007753fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007753fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007753fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007753ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007753ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077540004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077540008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077540084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077540088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775400b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775400b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775403b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775403bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077540550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077540554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077540694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077540698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007754088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077540890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775408a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775408a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077540df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077540df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077540ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077540edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077541be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077541be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077541cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077541cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077541d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077541d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077561287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769cc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dbf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dc2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765a5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765ab895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765ac332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765d4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f08332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f08bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f09679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f0ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f0efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f0efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f1291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f12d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f12d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f12da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f13698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f1369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f13baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f13c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f16110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f1612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f16c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f17603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f17668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f1781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f1835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f1c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f1c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076f2c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076f2d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076f2eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076f2ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076f2ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendInput 0000000076f2ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076f2ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076f49f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076f51497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076f6027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076f66cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076f66d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076f67dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076f67ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076f688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076f688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076882538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f6124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c41465 2 bytes [C4, 75] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c414bb 2 bytes [C4, 75] .text ... * 2 .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0D] .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text E:\!Programy\Narzedzia\COMODO Programs Manager\CPMService.exe[1900] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f450a0 6 bytes JMP 0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007753f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007753f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007753fcb0 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007753fcb4 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007753fd64 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007753fd68 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007753fdc8 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007753fdcc 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007753fec0 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007753fec4 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007753ffa4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007753ffa8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077540004 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077540008 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077540084 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077540088 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775400b4 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775400b8 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775403b8 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775403bc 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077540550 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077540554 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077540694 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077540698 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007754088c 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077540890 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775408a4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775408a8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077540df4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077540df8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077540ed8 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077540edc 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077541be4 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077541be8 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077541cb4 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077541cb8 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077541d8c 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077541d90 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077561287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769a103d 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769a1072 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769cc9b5 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dbf784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dc2c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f08332 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f08bff 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f090d3 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f09679 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f097d2 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f0ee09 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f0efc9 3 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f0efcd 2 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f112a5 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f1291f 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f12d64 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f12d68 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f12da4 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f13698 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f1369c 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f13baa 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f13c61 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f16110 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f1612e 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f16c30 6 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f17603 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f17668 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f176e0 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f1781f 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f1835c 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f1c4b6 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f1c4ba 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076f2c112 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076f2d0f5 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076f2eb96 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076f2ec68 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076f2ec6c 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendInput 0000000076f2ff4a 3 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076f2ff4e 2 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076f49f1d 6 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076f51497 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076f6027b 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f602bf 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076f66cfc 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076f66d5d 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076f67dd7 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076f67ddb 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076f688eb 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076f688ef 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765a58b3 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765a5ea6 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765a7bcc 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765ab895 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765ac332 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765acbfb 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765ae743 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765d4857 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076882538 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768852e9 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f6124e 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000737b1a22 2 bytes [7B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000737b1ad0 2 bytes [7B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000737b1b08 2 bytes [7B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000737b1bba 2 bytes [7B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000737b1bda 2 bytes [7B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c41465 2 bytes [C4, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c414bb 2 bytes [C4, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[1972] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010c50a0 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes JMP 40 .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes JMP 1185 .text C:\Windows\System32\igfxtray.exe[2396] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes JMP 6c697475 .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes JMP 1185 .text C:\Windows\System32\hkcmd.exe[2660] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 08] .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 30] .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0x112dd64]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x114db70]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x116a440]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0x10e7c98]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x10c7658]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 4 bytes [FF, 25, EC, 6C] .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!GetPixel + 5 000007fefd939349 1 byte [01] .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x11a4638]} .text C:\Windows\System32\igfxpers.exe[2784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x1183750]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0D] .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2940] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000002a150a0 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2220] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3536] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011d50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff5ba1a0 6 bytes {JMP QWORD [RIP+0xc5e90]} .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff5dfa50 6 bytes JMP 2e0039 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000010c50a0 6 bytes JMP 9b3 .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077363b10 6 bytes {JMP QWORD [RIP+0x8cdc520]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773913a0 6 bytes {JMP QWORD [RIP+0x8c8ec90]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077391570 6 bytes {JMP QWORD [RIP+0x924eac0]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773915e0 6 bytes {JMP QWORD [RIP+0x932ea50]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391620 6 bytes {JMP QWORD [RIP+0x92eea10]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773916c0 6 bytes {JMP QWORD [RIP+0x934e970]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077391750 6 bytes {JMP QWORD [RIP+0x92ce8e0]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077391790 6 bytes {JMP QWORD [RIP+0x91ce8a0]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773917e0 6 bytes {JMP QWORD [RIP+0x91ee850]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077391800 6 bytes {JMP QWORD [RIP+0x930e830]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773919f0 6 bytes {JMP QWORD [RIP+0x93ce640]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b00 6 bytes {JMP QWORD [RIP+0x91ae530]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077391bd0 6 bytes {JMP QWORD [RIP+0x926e460]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077391d20 6 bytes {JMP QWORD [RIP+0x936e310]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d30 6 bytes {JMP QWORD [RIP+0x93ae300]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773920a0 6 bytes {JMP QWORD [RIP+0x928df90]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077392130 6 bytes {JMP QWORD [RIP+0x938df00]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773929a0 6 bytes {JMP QWORD [RIP+0x92ad690]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a20 6 bytes {JMP QWORD [RIP+0x920d610]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392aa0 6 bytes {JMP QWORD [RIP+0x922d590]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd449055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4553c0 5 bytes JMP 2202a8 .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9322cc 6 bytes JMP 0 .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9324c0 6 bytes JMP 44f043e .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd935bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd938398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9389d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd939344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd93b9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd93c8e0 6 bytes JMP 2000000 .text C:\Windows\system32\RunDll32.exe[3988] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000025b50a0 6 bytes {JMP QWORD [RIP+0x11af90]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007753f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007753f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007753fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007753fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007753fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007753fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007753fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007753fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007753fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007753fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007753ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007753ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077540004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077540008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077540084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077540088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775400b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775400b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775403b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775403bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077540550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077540554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077540694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077540698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007754088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077540890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775408a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775408a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077540df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077540df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077540ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077540edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077541be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077541be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077541cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077541cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077541d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077541d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077561287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769cc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dbf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dc2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765a5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765ab895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765ac332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765d4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f08332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f08bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f09679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f0ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f0efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f0efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f1291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f12d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f12d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f12da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f13698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f1369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f13baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f13c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f16110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f1612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f16c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f17603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f17668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f1781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f1835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f1c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f1c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076f2c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076f2d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076f2eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076f2ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076f2ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendInput 0000000076f2ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076f2ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076f49f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076f51497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076f6027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076f66cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076f66d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076f67dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076f67ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076f688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076f688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076882538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f6124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c41465 2 bytes [C4, 75] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c414bb 2 bytes [C4, 75] .text ... * 2 .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007753f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007753f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007753fcb0 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007753fcb4 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007753fd64 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007753fd68 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007753fdc8 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007753fdcc 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007753fec0 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007753fec4 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007753ffa4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007753ffa8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077540004 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077540008 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077540084 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077540088 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775400b4 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775400b8 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775403b8 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775403bc 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077540550 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077540554 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077540694 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077540698 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007754088c 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077540890 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775408a4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775408a8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077540df4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077540df8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077540ed8 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077540edc 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077541be4 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077541be8 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077541cb4 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077541cb8 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077541d8c 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077541d90 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077561287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769a103d 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769a1072 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769cc9b5 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dbf784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dc2c9e 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f08332 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f08bff 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f090d3 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f09679 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f097d2 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f0ee09 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f0efc9 3 bytes JMP 7115000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f0efcd 2 bytes JMP 7115000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f112a5 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f1291f 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f12d64 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f12d68 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f12da4 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f13698 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f1369c 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f13baa 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f13c61 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f16110 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f1612e 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f16c30 6 bytes JMP 7112000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f17603 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f17668 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f176e0 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f1781f 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f1835c 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f1c4b6 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f1c4ba 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076f2c112 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076f2d0f5 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076f2eb96 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076f2ec68 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076f2ec6c 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendInput 0000000076f2ff4a 3 bytes JMP 7133000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076f2ff4e 2 bytes JMP 7133000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076f49f1d 6 bytes JMP 7118000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076f51497 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076f6027b 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f602bf 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076f66cfc 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076f66d5d 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076f67dd7 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076f67ddb 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076f688eb 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076f688ef 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765a58b3 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765a5ea6 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765a7bcc 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765ab895 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765ac332 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765acbfb 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765ae743 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765d4857 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076882538 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768852e9 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f6124e 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c41465 2 bytes [C4, 75] .text C:\Windows\SysWOW64\CtHelper.exe[3684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c414bb 2 bytes [C4, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007753f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007753f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007753fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007753fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007753fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007753fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007753fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007753fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007753fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007753fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007753ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007753ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077540004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077540008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077540084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077540088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775400b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775400b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775403b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775403bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077540550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077540554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077540694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077540698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007754088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077540890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775408a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775408a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077540df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077540df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077540ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077540edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077541be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077541be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077541cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077541cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077541d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077541d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077561287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769cc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dbf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dc2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076882538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f6124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765a58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765a5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765a7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765ab895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765ac332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765acbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765ae743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765d4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f08332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f08bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f090d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f09679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f097d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f0ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f0efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f0efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f112a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f1291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f12d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f12d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f12da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f13698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f1369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f13baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f13c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f16110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f1612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f16c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f17603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f17668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f176e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f1781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f1835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f1c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f1c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076f2c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076f2d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076f2eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076f2ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076f2ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendInput 0000000076f2ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076f2ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076f49f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076f51497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076f6027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f602bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076f66cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076f66d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076f67dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076f67ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076f688eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076f688ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c41465 2 bytes [C4, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c414bb 2 bytes [C4, 75] .text ... * 2 .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007753f9e0 3 bytes JMP 71af000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007753f9e4 2 bytes JMP 71af000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007753fcb0 3 bytes JMP 70f7000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007753fcb4 2 bytes JMP 70f7000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007753fd64 3 bytes JMP 70e2000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007753fd68 2 bytes JMP 70e2000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007753fdc8 3 bytes JMP 70e8000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007753fdcc 2 bytes JMP 70e8000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007753fec0 3 bytes JMP 70df000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007753fec4 2 bytes JMP 70df000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007753ffa4 3 bytes JMP 70eb000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007753ffa8 2 bytes JMP 70eb000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077540004 3 bytes JMP 7103000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077540008 2 bytes JMP 7103000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077540084 3 bytes JMP 7100000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077540088 2 bytes JMP 7100000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775400b4 3 bytes JMP 70e5000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775400b8 2 bytes JMP 70e5000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775403b8 3 bytes JMP 70d3000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775403bc 2 bytes JMP 70d3000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077540550 3 bytes JMP 7106000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077540554 2 bytes JMP 7106000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077540694 3 bytes JMP 70f4000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077540698 2 bytes JMP 70f4000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007754088c 3 bytes JMP 70dc000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077540890 2 bytes JMP 70dc000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775408a4 3 bytes JMP 70d6000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775408a8 2 bytes JMP 70d6000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077540df4 3 bytes JMP 70f1000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077540df8 2 bytes JMP 70f1000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077540ed8 3 bytes JMP 70d9000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077540edc 2 bytes JMP 70d9000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077541be4 3 bytes JMP 70ee000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077541be8 2 bytes JMP 70ee000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077541cb4 3 bytes JMP 70fd000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077541cb8 2 bytes JMP 70fd000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077541d8c 3 bytes JMP 70fa000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077541d90 2 bytes JMP 70fa000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077561287 6 bytes JMP 71a8000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769a103d 6 bytes JMP 719c000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769a1072 6 bytes JMP 7199000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769cc9b5 6 bytes JMP 7190000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dbf784 6 bytes JMP 719f000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dc2c9e 4 bytes CALL 71ac0000 .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f08332 6 bytes JMP 7160000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f08bff 6 bytes JMP 7154000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f090d3 6 bytes JMP 710f000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f09679 6 bytes JMP 714e000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f097d2 6 bytes JMP 7148000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f0ee09 6 bytes JMP 7166000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f0efc9 3 bytes JMP 7115000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f0efcd 2 bytes JMP 7115000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f112a5 6 bytes JMP 715a000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f1291f 6 bytes JMP 712d000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f12d64 3 bytes JMP 7124000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f12d68 2 bytes JMP 7124000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f12da4 6 bytes JMP 710c000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f13698 3 bytes JMP 7121000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f1369c 2 bytes JMP 7121000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f13baa 6 bytes JMP 715d000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f13c61 6 bytes JMP 7157000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f16110 6 bytes JMP 7163000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f1612e 6 bytes JMP 7151000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f16c30 6 bytes JMP 7112000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f17603 6 bytes JMP 7169000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f17668 6 bytes JMP 713c000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f176e0 6 bytes JMP 7142000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f1781f 6 bytes JMP 714b000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f1835c 6 bytes JMP 716c000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f1c4b6 3 bytes JMP 711e000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f1c4ba 2 bytes JMP 711e000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076f2c112 6 bytes JMP 7139000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076f2d0f5 6 bytes JMP 7136000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076f2eb96 6 bytes JMP 712a000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076f2ec68 3 bytes JMP 7130000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076f2ec6c 2 bytes JMP 7130000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendInput 0000000076f2ff4a 3 bytes JMP 7133000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076f2ff4e 2 bytes JMP 7133000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076f49f1d 6 bytes JMP 7118000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076f51497 6 bytes JMP 7109000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076f6027b 6 bytes JMP 716f000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f602bf 6 bytes JMP 7172000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076f66cfc 6 bytes JMP 7145000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076f66d5d 6 bytes JMP 713f000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076f67dd7 3 bytes JMP 711b000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076f67ddb 2 bytes JMP 711b000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076f688eb 3 bytes JMP 7127000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076f688ef 2 bytes JMP 7127000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765a58b3 6 bytes JMP 7184000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765a5ea6 6 bytes JMP 717e000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765a7bcc 6 bytes JMP 718d000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765ab895 6 bytes JMP 7175000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765ac332 6 bytes JMP 717b000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765acbfb 6 bytes JMP 7187000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765ae743 6 bytes JMP 718a000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765d4857 6 bytes JMP 7178000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076882538 6 bytes JMP 7196000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768852e9 6 bytes JMP 7193000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f6124e 6 bytes JMP 7181000a .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c41465 2 bytes [C4, 75] .text D:\Pulpit\074kdi2q.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c414bb 2 bytes [C4, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b7e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b7c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b8614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b8a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b886c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8004bda2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8004bda2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8004bda2c0 Device \FileSystem\Ntfs \Ntfs fffffa8004be02c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80058032c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{ED15A0FA-C95F-4322-953B-0610A4EDDDE2} fffffa80053812c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80058032c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80058032c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80053812c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8004bda2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8004bda2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80058032c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8004bda2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8004bda2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005366060] fffffa8005366060 Trace 3 CLASSPNP.SYS[fffff88001abd43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004ccc680] fffffa8004ccc680 Trace \Driver\atapi[0xfffffa8004cb65d0] -> IRP_MJ_CREATE -> 0xfffffa8004bda2c0 fffffa8004bda2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD5 0x73 0xA2 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x52 0x41 0xAB 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x62 0xF3 0x27 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----