GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-23 23:29:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006f WDC_WD10 rev.80.0 931,51GB Running: iluo888m.exe; Driver: C:\Users\admn\AppData\Local\Temp\ufdorpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031a7000 64 bytes [D8, 70, FC, 0F, 80, FA, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800031a7042 33 bytes [58, 0C, 80, F9, FF, FF, B0, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c1360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c1560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c1360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c1560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[760] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff624750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077656ef0 6 bytes {JMP QWORD [RIP+0x8d89140]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077658184 6 bytes {JMP QWORD [RIP+0x8e67eac]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetParent 0000000077658530 6 bytes {JMP QWORD [RIP+0x8da7b00]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077659bcc 6 bytes {JMP QWORD [RIP+0x8b06464]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostMessageA 000000007765a404 6 bytes {JMP QWORD [RIP+0x8b45c2c]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!EnableWindow 000000007765aaa0 6 bytes {JMP QWORD [RIP+0x8ea5590]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!MoveWindow 000000007765aad0 6 bytes {JMP QWORD [RIP+0x8dc5560]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007765c720 6 bytes {JMP QWORD [RIP+0x8d63910]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007765cd50 6 bytes {JMP QWORD [RIP+0x8e432e0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007765d2b0 6 bytes {JMP QWORD [RIP+0x8b82d80]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageA 000000007765d338 6 bytes {JMP QWORD [RIP+0x8bc2cf8]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007765dc40 6 bytes {JMP QWORD [RIP+0x8ca23f0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007765f510 6 bytes {JMP QWORD [RIP+0x8e80b20]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007765f874 6 bytes {JMP QWORD [RIP+0x8ac07bc]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007765fac0 6 bytes {JMP QWORD [RIP+0x8c20570]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077660b74 6 bytes {JMP QWORD [RIP+0x8b9f4bc]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000776633b0 6 bytes {JMP QWORD [RIP+0x8b1cc80]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077664d4d 5 bytes {JMP QWORD [RIP+0x8adb2e4]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetKeyState 0000000077665010 6 bytes {JMP QWORD [RIP+0x8d3b020]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077665438 6 bytes {JMP QWORD [RIP+0x8c5abf8]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageW 0000000077666b50 6 bytes {JMP QWORD [RIP+0x8bd94e0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostMessageW 00000000776676e4 6 bytes {JMP QWORD [RIP+0x8b5894c]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007766dd90 6 bytes {JMP QWORD [RIP+0x8cd22a0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetClipboardData 000000007766e874 6 bytes {JMP QWORD [RIP+0x8e117bc]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007766f780 6 bytes {JMP QWORD [RIP+0x8dd08b0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000776728e4 6 bytes {JMP QWORD [RIP+0x8c6d74c]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!mouse_event 0000000077673894 6 bytes {JMP QWORD [RIP+0x8a6c79c]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077678a10 6 bytes {JMP QWORD [RIP+0x8d07620]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077678be0 6 bytes {JMP QWORD [RIP+0x8be7450]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077678c20 6 bytes {JMP QWORD [RIP+0x8a87410]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendInput 0000000077678cd0 6 bytes {JMP QWORD [RIP+0x8ce7360]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!BlockInput 000000007767ad60 6 bytes {JMP QWORD [RIP+0x8de52d0]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000776a14e0 6 bytes {JMP QWORD [RIP+0x8e7eb50]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!keybd_event 00000000776c45a4 6 bytes {JMP QWORD [RIP+0x89fba8c]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000776ccc08 6 bytes {JMP QWORD [RIP+0x8c53428]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000776cdf18 6 bytes {JMP QWORD [RIP+0x8bd2118]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes JMP 6200620 .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff624750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff624750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 300030 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 1ab9e28 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes JMP 2813a0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 1 .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes JMP b4280 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes JMP 9d42c81 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes JMP 1352c81 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes JMP 1bc0716 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes JMP 2d0046 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes JMP 50004d .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes JMP cb90401 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes JMP 15e62648 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes JMP ac4bfa9 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes JMP 420030 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes JMP 1c001c0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes JMP cfd4db67 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes JMP 81e81 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes JMP f2a2d81 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes JMP 4f0043 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes JMP 10f0081 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes JMP 4f0043 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes JMP 550042 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes JMP e5c9e5d2 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes JMP c5a34a9 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes JMP 10dbfb70 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes JMP e5cae5d3 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes JMP 6200620 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes JMP 20002c .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff624750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes JMP 6200620 .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[1224] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes JMP 6200620 .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\atieclxx.exe[1500] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x25dd64]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x27db70]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x29a450]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x226cec]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x2d4648]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x2aac20]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0x295940]} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes {JMP QWORD [RIP+0x28f420]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff624750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 35e40c8 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 7 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 0 .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP aab .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Program Files\Common Files\ArtistScope\CSHelper64.exe[1780] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP e5752df0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes JMP 7ed1 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x25dd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x27db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 22b7510 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x2d4648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1904] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes JMP 71010000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2024] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 2A] .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 2E] .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x25dd64]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x27db70]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x29a450]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x226cec]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x2d4648]} .text D:\LogMeIn Hamachi\hamachi-2.exe[1044] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x2aac20]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[1644] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\svchost.exe[2424] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\System32\WUDFHost.exe[2500] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes JMP fff7f7f7 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes JMP ff323232 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes JMP ff343434 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes JMP ff8394a1 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes JMP ff414141 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes JMP ff242424 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes JMP ffcedae4 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes JMP ffffffff .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes JMP ff5c6268 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes JMP ffbcc3e1 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes JMP ffe0e0df .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes JMP ff333333 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes JMP ff517589 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes JMP ffb1bbc7 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\Dwm.exe[2224] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes JMP 2 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes JMP 320065 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes JMP 7a0072 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes JMP 14f493e0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes JMP 8cc25c0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes JMP 34c8e8 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes JMP 8c59ed0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes JMP fffcfdfe .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes JMP fb50e590 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes JMP fff2f6fc .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes JMP fffffff4 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes JMP 5c0067 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes JMP 211790 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077656ef0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077658184 6 bytes JMP fff1f5fb .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SetParent 0000000077658530 6 bytes JMP 11 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077659bcc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!PostMessageA 000000007765a404 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!EnableWindow 000000007765aaa0 6 bytes JMP 31ba26 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!MoveWindow 000000007765aad0 6 bytes JMP c5fda8f2 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007765c720 6 bytes JMP 5c9d050 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007765cd50 6 bytes JMP fffafcfe .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007765d2b0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendMessageA 000000007765d338 6 bytes JMP 8b5e1c8 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007765dc40 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007765f510 6 bytes JMP 342dc0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007765f874 6 bytes JMP 49e0005 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007765fac0 6 bytes JMP 8c1cd40 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077660b74 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000776633b0 6 bytes JMP 790062 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077664d4d 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!GetKeyState 0000000077665010 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077665438 6 bytes JMP 5 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendMessageW 0000000077666b50 6 bytes JMP 421f0014 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!PostMessageW 00000000776676e4 6 bytes JMP 7fe .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007766dd90 6 bytes JMP 66006f .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!GetClipboardData 000000007766e874 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007766f780 6 bytes JMP 8dcc210 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000776728e4 6 bytes JMP 4cc38d38 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!mouse_event 0000000077673894 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077678a10 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077678be0 6 bytes JMP 50000004 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077678c20 6 bytes {JMP QWORD [RIP+0x8a87410]} .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendInput 0000000077678cd0 6 bytes JMP 15021290 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!BlockInput 000000007767ad60 6 bytes JMP 3a .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000776a14e0 6 bytes {JMP QWORD [RIP+0x8e7eb50]} .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!keybd_event 00000000776c45a4 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000776ccc08 6 bytes JMP 8d60b50 .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000776cdf18 6 bytes JMP 0 .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe[2552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes JMP 7193000a .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1384] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes [26, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes [23, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes JMP 717b000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes JMP 0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes JMP 0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3332] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 79000026 .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 30303220 .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\DllHost.exe[3524] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes JMP f .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes JMP 955c4d0 .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3744] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3744] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3744] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes [E4, 70] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes [05, 71] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes [E7, 70] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes [08, 71] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes [DE, 70] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes [DB, 70] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes [F0, 70] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes JMP 717b000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes JMP 7163000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes [17, 71] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes JMP 7166000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3904] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes [E1, 70] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes [D5, 70] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes [D8, 70] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes [DB, 70] .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes JMP 7163000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes JMP 7166000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes JMP 717b000a .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe[3916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes [08, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes [17, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes [29, 71] .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes JMP 6c .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes JMP 482d6563 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes JMP 39313a5d .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 660075 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 78b0b638 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes JMP 0 .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70f4000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70f4000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70df000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70df000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70e5000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70e5000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes [FF, 25, 1E] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes [DB, 70] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70e8000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70e8000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes [FF, 25, 1E] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes [FF, 70] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes [FF, 25, 1E] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes [FC, 70] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e2000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e2000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d0000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d0000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7103000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7103000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f1000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f1000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70d9000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70d9000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d3000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d3000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70ee000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70ee000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70d6000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70d6000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70eb000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70eb000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes [FF, 25, 1E] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes [F9, 70] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70f7000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70f7000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes JMP 719c000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes {JMP QWORD [RIP+0x715c001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes {JMP QWORD [RIP+0x7150001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 710c000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 714b000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 7145000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7163000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes [FF, 25, 1E] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes [11, 71] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes {JMP QWORD [RIP+0x7156001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 712a000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7121000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7121000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 7109000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 711e000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 711e000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes {JMP QWORD [RIP+0x7159001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes {JMP QWORD [RIP+0x7153001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes JMP 7160000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes {JMP QWORD [RIP+0x714d001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 710f000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 7166000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 7139000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 713f000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 7148000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes {JMP QWORD [RIP+0x7168001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 711b000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 711b000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes JMP 7136000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7133000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes {JMP QWORD [RIP+0x7126001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 712d000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 712d000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7130000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7130000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 7115000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 7106000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes {JMP QWORD [RIP+0x716b001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 716f000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes {JMP QWORD [RIP+0x7141001e]} .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 713c000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 7118000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 7118000a .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes [FF, 25, 1E] .text D:\LogMeIn Hamachi\hamachi-2-ui.exe[3308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes [23, 71] .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text D:\LogMeIn Hamachi\LMIGuardianSvc.exe[3428] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes JMP 14 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe27a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe2a0c10 6 bytes JMP 6200620 .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes CALL 79000026 .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[4988] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes JMP 0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!GetPixel 000007feff959344 6 bytes JMP 0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[924] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[5732] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[5732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765b1465 2 bytes [5B, 76] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[5804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765b14bb 2 bytes [5B, 76] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 6 bytes {JMP QWORD [RIP+0x87ac520]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c13a0 6 bytes {JMP QWORD [RIP+0x875ec90]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 6 bytes {JMP QWORD [RIP+0x8d1eac0]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c15e0 6 bytes {JMP QWORD [RIP+0x8dfea50]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1620 6 bytes {JMP QWORD [RIP+0x8dbea10]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c16c0 6 bytes {JMP QWORD [RIP+0x8e1e970]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c1750 6 bytes {JMP QWORD [RIP+0x8d9e8e0]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c1790 6 bytes {JMP QWORD [RIP+0x8c9e8a0]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c17e0 6 bytes {JMP QWORD [RIP+0x8cbe850]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1800 6 bytes {JMP QWORD [RIP+0x8dde830]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c19f0 6 bytes {JMP QWORD [RIP+0x8e9e640]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b00 6 bytes {JMP QWORD [RIP+0x8c7e530]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1bd0 6 bytes {JMP QWORD [RIP+0x8d3e460]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d20 6 bytes {JMP QWORD [RIP+0x8e3e310]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d30 6 bytes {JMP QWORD [RIP+0x8e7e300]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c20a0 6 bytes {JMP QWORD [RIP+0x8d5df90]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2130 4 bytes [FF, 25, 00, DF] .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2135 1 byte [08] .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c29a0 6 bytes {JMP QWORD [RIP+0x8d7d690]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a20 6 bytes {JMP QWORD [RIP+0x8cdd610]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2aa0 6 bytes {JMP QWORD [RIP+0x8cfd590]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd709055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7153c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff9522cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!BitBlt 000007feff9524c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff955be0 6 bytes {JMP QWORD [RIP+0x24a450]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff958398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff9589c8 6 bytes {JMP QWORD [RIP+0x197668]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!GetPixel 000007feff959344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff95b9e8 6 bytes {JMP QWORD [RIP+0x284648]} .text C:\Windows\system32\AUDIODG.EXE[4720] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff965410 6 bytes {JMP QWORD [RIP+0x25ac20]} .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes JMP 719c000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes JMP 719f000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes JMP 7163000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 7112000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 7130000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes JMP 7160000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes JMP 7166000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes JMP 716f000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes JMP 713c000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7139000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes JMP 712d000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 7133000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 7133000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7136000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7136000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 710c000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes JMP 7148000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes JMP 712a000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes JMP 712a000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes JMP 718d000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes JMP 717b000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes JMP 7196000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes JMP 7193000a .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765b1465 2 bytes [5B, 76] .text D:\Gry\R.G Mechanics\Dragon Age - Origins\bin_ship\DAOrigins.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765b14bb 2 bytes [5B, 76] .text ... * 2 .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes JMP 719c000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes JMP 719f000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes JMP 7163000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 7112000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 7130000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes JMP 7160000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes JMP 7166000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes JMP 716f000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes JMP 713c000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7139000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes JMP 712d000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 7133000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 7133000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7136000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7136000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 710c000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes JMP 7148000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes JMP 712a000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes JMP 712a000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes JMP 718d000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes JMP 717b000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes JMP 7196000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes JMP 7193000a .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000765b1465 2 bytes [5B, 76] .text C:\Users\admn\Downloads\OTL.exe[196] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000765b14bb 2 bytes [5B, 76] .text ... * 2 .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9e0 3 bytes JMP 71af000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9e4 2 bytes JMP 71af000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 3 bytes JMP 70fa000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fcb4 2 bytes JMP 70fa000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd64 3 bytes JMP 70e5000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd68 2 bytes JMP 70e5000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fdc8 3 bytes JMP 70eb000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdcc 2 bytes JMP 70eb000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fec0 3 bytes JMP 70e2000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fec4 2 bytes JMP 70e2000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ffa4 3 bytes JMP 70ee000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ffa8 2 bytes JMP 70ee000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a70004 3 bytes JMP 7106000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a70008 2 bytes JMP 7106000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70084 3 bytes JMP 7103000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70088 2 bytes JMP 7103000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a700b4 3 bytes JMP 70e8000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a700b8 2 bytes JMP 70e8000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a703b8 3 bytes JMP 70d6000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a703bc 2 bytes JMP 70d6000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70550 3 bytes JMP 7109000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70554 2 bytes JMP 7109000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70694 3 bytes JMP 70f7000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70698 2 bytes JMP 70f7000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7088c 3 bytes JMP 70df000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70890 2 bytes JMP 70df000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a708a4 3 bytes JMP 70d9000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a708a8 2 bytes JMP 70d9000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70df4 3 bytes JMP 70f4000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70df8 2 bytes JMP 70f4000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70ed8 3 bytes JMP 70dc000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70edc 2 bytes JMP 70dc000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71be4 3 bytes JMP 70f1000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71be8 2 bytes JMP 70f1000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71cb4 3 bytes JMP 7100000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71cb8 2 bytes JMP 7100000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d8c 3 bytes JMP 70fd000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d90 2 bytes JMP 70fd000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 6 bytes JMP 71a8000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007648103d 6 bytes JMP 719c000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076481072 6 bytes JMP 7199000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000764ac965 6 bytes JMP 7190000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000775ef776 6 bytes JMP 719f000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000775f2c91 4 bytes CALL 71ac0000 .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077458332 6 bytes JMP 7163000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077458bff 6 bytes JMP 7157000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000774590d3 6 bytes JMP 7112000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077459679 6 bytes JMP 7151000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000774597d2 6 bytes JMP 714b000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007745ee09 6 bytes JMP 7169000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007745efc9 3 bytes JMP 7118000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007745efcd 2 bytes JMP 7118000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000774612a5 6 bytes JMP 715d000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007746291f 6 bytes JMP 7130000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetParent 0000000077462d64 3 bytes JMP 7127000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077462d68 2 bytes JMP 7127000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077462da4 6 bytes JMP 710f000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000077463698 3 bytes JMP 7124000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007746369c 2 bytes JMP 7124000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077463baa 6 bytes JMP 7160000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077463c61 6 bytes JMP 715a000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077466110 6 bytes JMP 7166000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007746612e 6 bytes JMP 7154000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077466c30 6 bytes JMP 7115000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077467603 6 bytes JMP 716c000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077467668 6 bytes JMP 713f000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000774676e0 6 bytes JMP 7145000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007746781f 6 bytes JMP 714e000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007746835c 6 bytes JMP 716f000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007746c4b6 3 bytes JMP 7121000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007746c4ba 2 bytes JMP 7121000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007747c112 6 bytes JMP 713c000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007747d0f5 6 bytes JMP 7139000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007747eb96 6 bytes JMP 712d000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007747ec68 3 bytes JMP 7133000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007747ec6c 2 bytes JMP 7133000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendInput 000000007747ff4a 3 bytes JMP 7136000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007747ff4e 2 bytes JMP 7136000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077499f1d 6 bytes JMP 711b000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000774a1497 6 bytes JMP 710c000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!mouse_event 00000000774b027b 6 bytes JMP 7172000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!keybd_event 00000000774b02bf 6 bytes JMP 7175000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000774b6cfc 6 bytes JMP 7148000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000774b6d5d 6 bytes JMP 7142000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!BlockInput 00000000774b7dd7 3 bytes JMP 711e000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000774b7ddb 2 bytes JMP 711e000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000774b88eb 3 bytes JMP 712a000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000774b88ef 2 bytes JMP 712a000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773458b3 6 bytes JMP 7184000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077345ea6 6 bytes JMP 7181000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077347bcc 6 bytes JMP 718d000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007734b895 6 bytes JMP 7178000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007734c332 6 bytes JMP 717e000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007734cbfb 6 bytes JMP 7187000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007734e743 6 bytes JMP 718a000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077374646 6 bytes JMP 717b000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076fb2642 6 bytes JMP 7196000a .text C:\Users\admn\Downloads\iluo888m.exe[5392] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076fb5429 6 bytes JMP 7193000a ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001044e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001044c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001045614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001045a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800104586c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa80076352c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80076352c0 Device \Driver\ax1t668b \Device\Scsi\ax1t668b1 fffffa80084432c0 Device \Driver\ax1t668b \Device\Scsi\ax1t668b1Port3Path0Target0Lun0 fffffa80084432c0 Device \FileSystem\Ntfs \Ntfs fffffa800763f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A6064255-3E57-481C-BC13-23BCA71275E9} fffffa800800d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{241ABE63-3105-4812-9B33-E6C34EF84CF5} fffffa800800d2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa800844f2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800844f2c0 Device \Driver\amd_sata \Device\00000070 fffffa80076392c0 Device \Driver\amd_sata \Device\RaidPort0 fffffa80076392c0 Device \Driver\cdrom \Device\CdRom0 fffffa800801d2c0 Device \Driver\USBSTOR \Device\00000094 fffffa80096782c0 Device \Driver\cdrom \Device\CdRom1 fffffa800801d2c0 Device \Driver\amd_sata \Device\0000006f fffffa80076392c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{62A7E1FD-10AD-4E51-AEE0-1C537CCFE3AF} fffffa800800d2c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80084512c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80084512c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80084512c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80084ae2c0 Device \Driver\USBSTOR \Device\00000095 fffffa80096782c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800844f2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa800844f2c0 Device \Driver\USBSTOR \Device\00000096 fffffa80096782c0 Device \Driver\USBSTOR \Device\00000092 fffffa80096782c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800800d2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa80084512c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80084512c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80076352c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80084512c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80076352c0 Device \Driver\amd_sata \Device\ScsiPort2 fffffa80076392c0 Device \Driver\USBSTOR \Device\00000093 fffffa80096782c0 Device \Driver\ax1t668b \Device\ScsiPort3 fffffa80084432c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800763b2c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys fffffa800763b2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dec060] fffffa8007dec060 Trace 3 CLASSPNP.SYS[fffff88001abb43f] -> nt!IofCallDriver -> [0xfffffa8007add040] fffffa8007add040 Trace \Driver\amd_xata[0xfffffa8007ae1060] -> IRP_MJ_CREATE -> 0xfffffa800763b2c0 fffffa800763b2c0 Trace 5 amd_xata.sys[fffff88000fc2d00] -> nt!IofCallDriver -> \Device\0000006f[0xfffffa8007aeb8a0] fffffa8007aeb8a0 Trace \Driver\amd_sata[0xfffffa8007ad9e70] -> IRP_MJ_CREATE -> 0xfffffa80076392c0 fffffa80076392c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ax1t668b.SYS fffff88005a91000-fffff88005ae2000 (331776 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x59 0xCF 0x9E 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBC 0x9E 0x2A 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x35 0x70 0x7C 0xA4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x59 0xCF 0x9E 0x1A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBC 0x9E 0x2A 0x07 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x35 0x70 0x7C 0xA4 ... ---- EOF - GMER 2.1 ----