GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-29 18:37:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 ST9160827AS rev.3.AAA 149,05GB Running: iioled2z.exe; Driver: C:\Users\Bartłomiej\AppData\Local\Temp\ugldqpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003ba7000 19 bytes [BF, 7B, 00, 00, C0, 48, 8B, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 548 fffff80003ba7014 34 bytes [8B, 6C, 24, 38, 8B, C7, 48, ...] .text C:\Windows\System32\win32k.sys!EngSetLastError + 620 fffff96000135108 8 bytes [48, 92, CA, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000164300 7 bytes [00, A1, F3, FF, 41, B4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000164308 3 bytes [00, 07, 02] .text ... * 107 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 304 fffff9600022b200 6 bytes {JMP QWORD [RIP-0xbb862]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773898e0 6 bytes {JMP QWORD [RIP+0x8d16750]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a0650 6 bytes {JMP QWORD [RIP+0x8cbf9e0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773def8d 1 byte [62] .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007741acf0 6 bytes {JMP QWORD [RIP+0x8c65340]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[720] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef73e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd0650a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\lsass.exe[728] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef73e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef73e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes JMP 9b909b90 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes JMP b4a280 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes JMP 9ad19ad1 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes JMP 9a4f9a4f .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes JMP 9b919b91 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes JMP 5d0f089 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes JMP 540fcbb .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes JMP ebd880 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes JMP de01d90 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773898e0 6 bytes JMP 930e99c9 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a0650 6 bytes JMP 8cbfa28 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773def8d 1 byte [62] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007741acf0 6 bytes JMP a9081d0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1184] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1184] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000012d50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773898e0 6 bytes {JMP QWORD [RIP+0x8d16750]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a0650 6 bytes {JMP QWORD [RIP+0x8cbf9e0]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773def8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007741acf0 6 bytes {JMP QWORD [RIP+0x8c65340]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef73e80 6 bytes JMP 160001 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed2a6f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed50c10 6 bytes JMP 12f3a0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes JMP 560045 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes {JMP QWORD [RIP+0x33a440]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Windows\system32\AUDIODG.EXE[1284] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes {JMP QWORD [RIP+0x353750]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes {JMP QWORD [RIP+0x2fdd64]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x31db70]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes {JMP QWORD [RIP+0x33a440]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes {JMP QWORD [RIP+0x2b7c98]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes {JMP QWORD [RIP+0x297658]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes {JMP QWORD [RIP+0x2d6cec]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes {JMP QWORD [RIP+0x353750]} .text C:\Windows\system32\svchost.exe[1312] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011150a0 6 bytes {JMP QWORD [RIP+0x10af90]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 12] .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes {JMP QWORD [RIP+0x2fdd64]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x31db70]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes {JMP QWORD [RIP+0x33a440]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes {JMP QWORD [RIP+0x2b7c98]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes {JMP QWORD [RIP+0x297658]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes {JMP QWORD [RIP+0x2d6cec]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Windows\system32\atieclxx.exe[1484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes {JMP QWORD [RIP+0x353750]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1856] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef73e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [F6, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes [E1, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes [E7, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [DE, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [02, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes [D2, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [F3, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [DB, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes [D5, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [F0, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [D8, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [ED, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [FC, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [F9, 70] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes [14, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes [23, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes [20, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes [1D, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes [2F, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes [32, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes [1A, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes [26, 71] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000768f2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768f5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes [13, 71] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes [22, 71] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes {JMP QWORD [RIP+0x710a001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes [1F, 71] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes [1C, 71] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes {JMP QWORD [RIP+0x7128001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes [2E, 71] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes [31, 71] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes [19, 71] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\vmnat.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes [25, 71] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2592] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000768f2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2592] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768f5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768a1465 2 bytes [8A, 76] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768a14bb 2 bytes [8A, 76] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[2704] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000ff50a0 6 bytes {JMP QWORD [RIP+0x84af90]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 77000026 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes {JMP QWORD [RIP+0x2fdd64]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x31db70]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes {JMP QWORD [RIP+0x2b7c98]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes {JMP QWORD [RIP+0x297658]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes {JMP QWORD [RIP+0x2d6cec]} .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes JMP 28cd1acb .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2648] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000026a50a0 6 bytes {JMP QWORD [RIP+0x22af90]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\Explorer.EXE[3232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773898e0 6 bytes {JMP QWORD [RIP+0x8d16750]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773a0650 6 bytes {JMP QWORD [RIP+0x8cbf9e0]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773def8d 1 byte [62] .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007741acf0 6 bytes {JMP QWORD [RIP+0x8c65340]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes {JMP QWORD [RIP+0x2fdd64]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x31db70]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes {JMP QWORD [RIP+0x33a440]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes {JMP QWORD [RIP+0x2b7c98]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes JMP 294270 .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes {JMP QWORD [RIP+0x2d6cec]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes {JMP QWORD [RIP+0x353750]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077286ef0 6 bytes {JMP QWORD [RIP+0x9159140]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077288184 6 bytes {JMP QWORD [RIP+0x9237eac]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetParent 0000000077288530 6 bytes {JMP QWORD [RIP+0x9177b00]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077289bcc 6 bytes {JMP QWORD [RIP+0x8ed6464]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!PostMessageA 000000007728a404 6 bytes {JMP QWORD [RIP+0x8f15c2c]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!EnableWindow 000000007728aaa0 6 bytes JMP 690063 .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!MoveWindow 000000007728aad0 6 bytes {JMP QWORD [RIP+0x9195560]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007728c720 6 bytes {JMP QWORD [RIP+0x9133910]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007728cd50 6 bytes {JMP QWORD [RIP+0x92132e0]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007728d2b0 6 bytes {JMP QWORD [RIP+0x8f52d80]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendMessageA 000000007728d338 6 bytes {JMP QWORD [RIP+0x8f92cf8]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007728dc40 6 bytes {JMP QWORD [RIP+0x90723f0]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007728f510 6 bytes {JMP QWORD [RIP+0x9250b20]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007728f874 6 bytes {JMP QWORD [RIP+0x8e907bc]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007728fac0 6 bytes {JMP QWORD [RIP+0x8ff0570]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077290b74 6 bytes {JMP QWORD [RIP+0x8f6f4bc]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772933b0 6 bytes {JMP QWORD [RIP+0x8eecc80]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077294d4d 5 bytes {JMP QWORD [RIP+0x8eab2e4]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!GetKeyState 0000000077295010 6 bytes {JMP QWORD [RIP+0x910b020]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077295438 6 bytes {JMP QWORD [RIP+0x902abf8]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendMessageW 0000000077296b50 6 bytes {JMP QWORD [RIP+0x8fa94e0]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!PostMessageW 00000000772976e4 6 bytes {JMP QWORD [RIP+0x8f2894c]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007729dd90 6 bytes {JMP QWORD [RIP+0x90a22a0]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!GetClipboardData 000000007729e874 6 bytes {JMP QWORD [RIP+0x91e17bc]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007729f780 4 bytes [FF, 25, B0, 08] .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetClipboardViewer + 5 000000007729f785 1 byte [09] .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772a28e4 6 bytes {JMP QWORD [RIP+0x903d74c]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!mouse_event 00000000772a3894 6 bytes {JMP QWORD [RIP+0x8e3c79c]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000772a8a10 6 bytes {JMP QWORD [RIP+0x90d7620]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000772a8be0 6 bytes {JMP QWORD [RIP+0x8fb7450]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772a8c20 6 bytes {JMP QWORD [RIP+0x8e57410]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendInput 00000000772a8cd0 6 bytes {JMP QWORD [RIP+0x90b7360]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!BlockInput 00000000772aad60 6 bytes {JMP QWORD [RIP+0x91b52d0]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772d14e0 6 bytes {JMP QWORD [RIP+0x924eb50]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!keybd_event 00000000772f45a4 6 bytes {JMP QWORD [RIP+0x8dcba8c]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000772fcc08 6 bytes {JMP QWORD [RIP+0x9023428]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000772fdf18 6 bytes {JMP QWORD [RIP+0x8fa2118]} .text C:\Windows\Explorer.EXE[3232] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd0650a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes {JMP QWORD [RIP+0x34dd64]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x36db70]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes {JMP QWORD [RIP+0x38a440]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes {JMP QWORD [RIP+0x307c98]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes {JMP QWORD [RIP+0x2e7658]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes {JMP QWORD [RIP+0x326cec]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x3c4638]} .text C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes {JMP QWORD [RIP+0x3a3750]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [EC, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes [D7, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes [DD, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [D4, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes [E0, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [F8, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 70f6000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 70f6000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70db000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70db000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 70c9000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 70c9000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 70fc000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 70fc000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 00000000cbf7d00d .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [D1, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 70cc000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 70cc000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [E6, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [CE, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [E3, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [F2, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [EF, 70] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes JMP 7156000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes JMP 714a000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes JMP 7105000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes JMP 7144000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes [0A, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes JMP 7150000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes {JMP QWORD [RIP+0x7122001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes [19, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes {JMP QWORD [RIP+0x7101001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes [16, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes JMP 7153000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes [13, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes [25, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes [28, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes JMP 710e000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes {JMP QWORD [RIP+0x70fe001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes [10, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes [1C, 71] .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751e58b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000751e5ea6 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000751e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000751eb895 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000751ec332 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000751ecbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000751ee743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075214857 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000768f2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768f5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\IVONA\IVONA Reader\IVONA Reader.exe[4904] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007504124e 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [ED, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes [DE, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [D5, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [F9, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [EA, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [D2, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [E7, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [CF, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [E4, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [F3, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [F0, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c9e 4 bytes CALL 71ac0000 .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [CE, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 70ba000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 70ba000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 70c0000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 70c0000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [B6, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 70c3000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 70c3000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [EA, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 70e8000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 70e8000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70bd000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70bd000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 70ab000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 70ab000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 70ee000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 70ee000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [CB, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [B3, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 70ae000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 70ae000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [C8, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [B0, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [C5, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [E4, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [D1, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076968791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751e58b3 6 bytes JMP 717e000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000751e5ea6 6 bytes JMP 7178000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000751e7bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000751eb895 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000751ec332 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000751ecbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000751ee743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075214857 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes JMP 7148000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes JMP 713c000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes JMP 70f7000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes JMP 7136000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes JMP 7130000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes [FC, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes JMP 7142000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes [0B, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes {JMP QWORD [RIP+0x70f3001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes JMP 7109000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes JMP 7109000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes JMP 7139000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes {JMP QWORD [RIP+0x70f9001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes JMP 7151000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes JMP 7133000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes [05, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes JMP 7112000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes [17, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes [1A, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes {JMP QWORD [RIP+0x70ff001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes {JMP QWORD [RIP+0x70f0001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes [02, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes [0E, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000768f2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4116] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768f5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes [B5, 6F, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [DF, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes [CA, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [C7, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes [D3, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes {JMP 0x72} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [DC, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [C4, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [D9, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [C1, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [D6, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [E5, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [E2, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes {JMP QWORD [RIP+0x7151001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes {JMP QWORD [RIP+0x7145001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes {JMP QWORD [RIP+0x70f7001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes {JMP QWORD [RIP+0x7136001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes {JMP QWORD [RIP+0x7130001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes [FD, 70] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes {JMP QWORD [RIP+0x714b001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes {JMP QWORD [RIP+0x7115001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes [0C, 71] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes {JMP QWORD [RIP+0x70f4001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes [09, 71] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes {JMP QWORD [RIP+0x714e001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes {JMP QWORD [RIP+0x7148001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes {JMP QWORD [RIP+0x7154001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes {JMP QWORD [RIP+0x7139001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes {JMP QWORD [RIP+0x70fa001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes {JMP QWORD [RIP+0x7124001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes {JMP QWORD [RIP+0x712a001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes {JMP QWORD [RIP+0x7133001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes [06, 71] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes {JMP QWORD [RIP+0x7121001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes {JMP QWORD [RIP+0x711e001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes {JMP QWORD [RIP+0x7112001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes [18, 71] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes [1B, 71] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes {JMP QWORD [RIP+0x7100001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes {JMP QWORD [RIP+0x70f1001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes {JMP QWORD [RIP+0x712d001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes {JMP QWORD [RIP+0x7127001e]} .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes [03, 71] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes [0F, 71] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\System32\svchost.exe[5252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[5252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [E7, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes [D2, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes [D8, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [CF, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes [DB, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [F3, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes [F0, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes [D5, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes [C3, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes [F6, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [E4, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [CC, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes [C6, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [E1, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [C9, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [DE, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [ED, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [EA, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes {JMP QWORD [RIP+0x70ff001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes [05, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes [14, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes {JMP QWORD [RIP+0x70fc001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes [11, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes {JMP QWORD [RIP+0x7102001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes [0E, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes [20, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes [23, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes {JMP QWORD [RIP+0x70f9001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes [0B, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes [17, 71] .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes {JMP QWORD [RIP+0x2fdd64]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x31db70]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes {JMP QWORD [RIP+0x2b7c98]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes {JMP QWORD [RIP+0x297658]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes {JMP QWORD [RIP+0x2d6cec]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed2a6f0 6 bytes {JMP QWORD [RIP+0x135940]} .text C:\Windows\System32\svchost.exe[5768] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed50c10 6 bytes {JMP QWORD [RIP+0x12f420]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [DE, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [02, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [F3, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [DB, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes [D5, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!DispatchMessageW 000000007575787b 5 bytes JMP 0000000157766c20 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!DispatchMessageA 0000000075757bbb 5 bytes JMP 0000000157766bf0 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075758a29 5 bytes JMP 0000000157767600 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075758e4e 3 bytes JMP 0000000157766d80 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetWindowPos + 4 0000000075758e52 1 byte [E2] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!DestroyWindow 0000000075759a55 3 bytes JMP 0000000157766d50 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!DestroyWindow + 4 0000000075759a59 1 byte [E2] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007575d22e 5 bytes JMP 00000001577674c0 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes [14, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000757605ba 5 bytes JMP 0000000157766f40 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075760dfb 3 bytes JMP 0000000157766c50 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!ShowWindow + 4 0000000075760dff 1 byte [E2] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!EndPaint 0000000075761341 3 bytes JMP 0000000157767020 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!EndPaint + 4 0000000075761345 1 byte [E2] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000075761361 3 bytes JMP 0000000157766fc0 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!BeginPaint + 4 0000000075761365 1 byte [E2] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 00000000757628da 5 bytes JMP 0000000157767440 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes [23, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes [20, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetCursor 00000000757641f6 3 bytes JMP 0000000157766500 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetCursor + 4 00000000757641fa 1 byte [E2] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075765f74 5 bytes JMP 0000000157766ee0 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000075767b3b 5 bytes JMP 0000000157766fa0 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!AnimateWindow 000000007576b531 5 bytes JMP 0000000157766df0 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindow 000000007576ba4a 5 bytes JMP 0000000157767370 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes [1D, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes [2F, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!WindowFromPoint 000000007577ed12 5 bytes JMP 0000000157766520 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetCapture 000000007577ed56 5 bytes JMP 0000000157766ec0 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007577f170 5 bytes JMP 0000000157766e80 .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes [32, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes [1A, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes [26, 71] .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751e58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000751e5ea6 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000751e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000751eb895 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000751ec332 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000751ecbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000751ee743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075214857 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000768f2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Raptr\raptr.exe[6372] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768f5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 5 bytes JMP 0000000077660460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774f13b0 5 bytes JMP 0000000077660450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774f1510 5 bytes JMP 0000000077660370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 5 bytes JMP 0000000077660470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 5 bytes JMP 00000000776603e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x926ea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 5 bytes JMP 0000000077660320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774f1650 5 bytes JMP 00000000776603b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774f1670 5 bytes JMP 0000000077660390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 5 bytes JMP 00000000776602e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x928e970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 5 bytes JMP 00000000776602d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 5 bytes JMP 0000000077660310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 5 bytes JMP 00000000776603c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 5 bytes JMP 00000000776603f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x924e830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774f1940 5 bytes JMP 0000000077660230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x931e640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 5 bytes JMP 0000000077660480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774f1b30 5 bytes JMP 00000000776603a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x916e460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 5 bytes JMP 00000000776602f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774f1c20 5 bytes JMP 0000000077660350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 5 bytes JMP 0000000077660290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 5 bytes JMP 00000000776602b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x92ae310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 5 bytes JMP 00000000776603d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774f1d40 5 bytes JMP 0000000077660330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774f1db0 5 bytes JMP 0000000077660410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774f1de0 5 bytes JMP 0000000077660240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 5 bytes JMP 00000000776601e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x92cdf00]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774f2160 5 bytes JMP 0000000077660250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 5 bytes JMP 0000000077660490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 5 bytes JMP 00000000776604a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 5 bytes JMP 0000000077660300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774f21e0 5 bytes JMP 0000000077660360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 5 bytes JMP 00000000776602a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 5 bytes JMP 00000000776602c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774f22c0 5 bytes JMP 0000000077660380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774f22d0 5 bytes JMP 0000000077660340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774f25c0 5 bytes JMP 0000000077660440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774f27c0 5 bytes JMP 0000000077660260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774f27d0 5 bytes JMP 0000000077660270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774f27e0 5 bytes JMP 0000000077660400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 5 bytes JMP 00000000776601f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774f29b0 5 bytes JMP 0000000077660210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 5 bytes JMP 0000000077660200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774f2a80 5 bytes JMP 0000000077660420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774f2a90 5 bytes JMP 0000000077660430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 5 bytes JMP 0000000077660220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774f2b80 5 bytes JMP 0000000077660280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes {JMP QWORD [RIP+0x2fdd64]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x31db70]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes {JMP QWORD [RIP+0x33a440]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes {JMP QWORD [RIP+0x2b7c98]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes {JMP QWORD [RIP+0x297658]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes {JMP QWORD [RIP+0x2d6cec]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes {JMP QWORD [RIP+0x353750]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes [E1, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [DE, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes [EA, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [02, 71] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes [E4, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes [D2, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [F3, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [DB, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000768f2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Raptr\raptr_im.exe[6356] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768f5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes [DB, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes [D8, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes [E4, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes [FC, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes [CC, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7100000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7100000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes [ED, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes [D5, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007696103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076961072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[5704] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007696103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076961072 6 bytes JMP 7199000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62] .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007698c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075758332 6 bytes JMP 7160000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075758bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757590d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075759679 6 bytes JMP 714e000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757597d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007575ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007575efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007575efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757612a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007576291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetParent 0000000075762d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075762d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075762da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075763698 3 bytes JMP 7121000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007576369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075763baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075763c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075766110 6 bytes JMP 7163000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007576612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075766c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075767603 6 bytes JMP 7169000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075767668 6 bytes JMP 713c000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757676e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007576781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007576835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007576c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007576c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007577c112 6 bytes JMP 7139000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007577d0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007577eb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007577ec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007577ec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendInput 000000007577ff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007577ff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075799f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757a1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757b027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757b02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757b6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757b6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757b7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757b7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757b88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757b88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751e58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000751e5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000751e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000751eb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000751ec332 6 bytes JMP 717b000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000751ecbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000751ee743 6 bytes JMP 718a000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075214857 6 bytes JMP 7178000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000768f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000768f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007504124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768a1465 2 bytes [8A, 76] .text C:\Program Files (x86)\OCCTPT\OCCT.exe[9188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768a14bb 2 bytes [8A, 76] .text ... * 2 .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x90eeac0]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x91cea50]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x918ea10]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x91ee970]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x916e8e0]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x906e8a0]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x908e850]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x91ae830]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x926e640]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x904e530]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x910e460]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x920e310]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x924e300]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x912df90]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x922df00]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x914d690]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x90ad610]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x90cd590]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd369055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd3753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefedd22cc 6 bytes JMP 0 .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedd24c0 6 bytes {JMP QWORD [RIP+0x31db70]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefedd5bf0 6 bytes {JMP QWORD [RIP+0x33a440]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedd8398 6 bytes JMP 0 .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedd89d8 6 bytes JMP ffffffff .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!GetPixel 000007fefedd9344 6 bytes JMP 310034 .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeddb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe[7336] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeddc8e0 6 bytes {JMP QWORD [RIP+0x353750]} .text C:\Users\Bart 000000007769f9e0 3 bytes JMP 71af000a .text + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Users\Bart 000000007696103d 6 bytes JMP 719c000a .text C:\Users\Bart 0000000076961072 6 bytes JMP 7199000a .text C:\Users\Bart 0000000076c8f784 6 bytes JMP 719f000a .text + 493 0000000076c92c9e 4 bytes CALL 71ac0000 .text C:\Users\Bart 0000000075758332 6 bytes JMP 7160000a .text C:\Users\Bart 0000000075758bff 6 bytes JMP 7154000a .text C:\Users\Bart 00000000751e58b3 6 bytes JMP 7184000a .text C:\Users\Bart 00000000751e5ea6 6 bytes JMP 717e000a .text C:\Users\Bart 00000000768f2642 6 bytes JMP 7196000a .text C:\Users\Bart 00000000768f5429 6 bytes JMP 7193000a .text C:\Users\Bart 000000007504124e 6 bytes JMP 7181000a .text + 69 00000000768a1465 2 bytes [8A, 76] .text + 155 00000000768a14bb 2 bytes [8A, 76] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\services.exe[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\services.exe[ntdll.dll!NtShutdownSystem] [805b0000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\lsasrv.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\lsasrv.dll[ntdll.dll!NtShutdownSystem] [805b0000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[728] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsm.exe[736] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[892] @ c:\windows\system32\umpo.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[892] @ c:\windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[980] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[560] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1084] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1140] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\System32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1184] @ c:\windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1184] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1216] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1216] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1216] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\AUDIODG.EXE[1284] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1312] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\atieclxx.exe[1484] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\spoolsv.exe[1788] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1856] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\ASRock\XFast LAN\spd.exe[1800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\OO Software\Defrag\oodag.exe[2196] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2704] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3448] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[2648] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\Dwm.exe[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\dwmcore.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\Dwm.exe[1016] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\System32\gameux.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\System32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\authui.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\taskeng.exe[2768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskeng.exe[2768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskeng.exe[2768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\ASRock\XFast LAN\cfosspeed.exe[4252] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4316] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4472] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[4808] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3680] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[5252] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[5768] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6912] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Raptr\raptr_ep64.exe[6500] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Raptr\raptr_ep64.exe[6500] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Raptr\raptr_ep64.exe[6500] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [892:5412] 000007fef3622154 Thread C:\Windows\system32\svchost.exe [980:5032] 000007fef3622154 Thread C:\Windows\system32\svchost.exe [980:4480] 000007fefc444af4 Thread C:\Windows\system32\svchost.exe [560:1548] 000007fef9e0341c Thread C:\Windows\system32\svchost.exe [560:1556] 000007fef9e03a2c Thread C:\Windows\system32\svchost.exe [560:1560] 000007fef9e03768 Thread C:\Windows\system32\svchost.exe [560:1564] 000007fef9e05c20 Thread C:\Windows\system32\svchost.exe [560:2172] 000007fef8eebd88 Thread C:\Windows\system32\svchost.exe [560:2464] 000007fef82f83d8 Thread C:\Windows\system32\svchost.exe [560:2468] 000007fef82f83d8 Thread C:\Windows\system32\svchost.exe [560:2576] 000007fef7b33f1c Thread C:\Windows\system32\svchost.exe [560:2580] 000007fef7b01a38 Thread C:\Windows\system32\svchost.exe [560:2584] 000007fef7af5388 Thread C:\Windows\system32\svchost.exe [560:2588] 000007fef7ad7738 Thread C:\Windows\system32\svchost.exe [560:2600] 000007fef7ac1f90 Thread C:\Windows\system32\svchost.exe [560:3092] 000007fef56b0098 Thread C:\Windows\system32\svchost.exe [560:3104] 000007fef56a2a00 Thread C:\Windows\system32\svchost.exe [560:3108] 000007fef56ac5b0 Thread C:\Windows\system32\svchost.exe [560:3672] 000007fef8a25124 Thread C:\Windows\system32\svchost.exe [560:3688] 000007fef4425ab4 Thread C:\Windows\system32\svchost.exe [560:3704] 000007fef442a7b0 Thread C:\Windows\system32\svchost.exe [560:3708] 000007fef4495170 Thread C:\Windows\system32\svchost.exe [560:3712] 000007fef444a928 Thread C:\Windows\system32\svchost.exe [560:7020] 000007fef9e03900 Thread C:\Windows\system32\svchost.exe [560:5448] 000007fef5692f50 Thread C:\Windows\System32\svchost.exe [1084:5056] 000007feef806b8c Thread C:\Windows\System32\svchost.exe [1084:4236] 000007feef801d88 Thread C:\Windows\System32\svchost.exe [1140:1196] 000007fefa88f2c0 Thread C:\Windows\System32\svchost.exe [1140:1252] 000007fefafd6204 Thread C:\Windows\System32\svchost.exe [1140:1440] 000007fefa12331c Thread C:\Windows\System32\svchost.exe [1140:1604] 000007fef99d59a0 Thread C:\Windows\System32\svchost.exe [1140:1748] 000007fefcc41a70 Thread C:\Windows\System32\svchost.exe [1140:3176] 000007fef50820c0 Thread C:\Windows\System32\svchost.exe [1140:3184] 000007fef50826a8 Thread C:\Windows\System32\svchost.exe [1140:3192] 000007fef50829dc Thread C:\Windows\System32\svchost.exe [1140:3196] 000007fef50829dc Thread C:\Windows\System32\svchost.exe [1140:3200] 000007fef50514a0 Thread C:\Windows\System32\svchost.exe [1140:3416] 000007feff4fc608 Thread C:\Windows\System32\svchost.exe [1140:3656] 000007fef473a2b0 Thread C:\Windows\System32\svchost.exe [1140:3828] 000007fef80a44e0 Thread C:\Windows\System32\svchost.exe [1140:3528] 000007feff4fc608 Thread C:\Windows\System32\svchost.exe [1140:4272] 000007feff4fc608 Thread C:\Windows\System32\svchost.exe [1140:4344] 000007feff4fc608 Thread C:\Windows\System32\svchost.exe [1140:1876] 000007feff4fc608 Thread C:\Windows\System32\svchost.exe [1140:4424] 000007feff4fc608 Thread C:\Windows\System32\svchost.exe [1140:6784] 000007feec653efc Thread C:\Windows\System32\svchost.exe [1140:6852] 000007feecc38a4c Thread C:\Windows\System32\svchost.exe [1140:6360] 000007fef88188f8 Thread C:\Windows\system32\svchost.exe [1216:1756] 000007fef94e1e00 Thread C:\Windows\system32\svchost.exe [1216:1768] 000007fef9431a50 Thread C:\Windows\system32\svchost.exe [1216:2144] 000007fefcc41a70 Thread C:\Windows\system32\svchost.exe [1216:2556] 000007fef7e284d8 Thread C:\Windows\system32\svchost.exe [1216:2564] 000007fefcc41a70 Thread C:\Windows\system32\svchost.exe [1216:2604] 000007fef7de23a8 Thread C:\Windows\system32\svchost.exe [1216:2620] 000007fef7e60d00 Thread C:\Windows\system32\svchost.exe [1216:2624] 000007fef7a99498 Thread C:\Windows\system32\svchost.exe [1216:3724] 000007fef43cce0c Thread C:\Windows\system32\svchost.exe [1216:3728] 000007fef439c8ec Thread C:\Windows\system32\svchost.exe [1216:3720] 000007fef3d3506c Thread C:\Windows\system32\svchost.exe [1216:680] 000007fef78f1c20 Thread C:\Windows\system32\svchost.exe [1216:3576] 000007fef78f1c20 Thread C:\Windows\system32\svchost.exe [1216:3052] 000007fef43cce0c Thread C:\Windows\system32\svchost.exe [1216:2396] 000007fef8a25124 Thread C:\Windows\System32\spoolsv.exe [1788:2284] 000007fef87310c8 Thread C:\Windows\System32\spoolsv.exe [1788:2304] 000007fef86f6144 Thread C:\Windows\System32\spoolsv.exe [1788:2320] 000007fef84e5fd0 Thread C:\Windows\System32\spoolsv.exe [1788:2324] 000007fef84d3438 Thread C:\Windows\System32\spoolsv.exe [1788:2328] 000007fef84e63ec Thread C:\Windows\System32\spoolsv.exe [1788:2336] 000007fef8855e5c Thread C:\Windows\System32\spoolsv.exe [1788:2352] 000007fef8885074 Thread C:\Windows\system32\svchost.exe [1856:2064] 000007fef92135c0 Thread C:\Windows\system32\svchost.exe [1856:3152] 000007fef9215600 Thread C:\Windows\system32\svchost.exe [1856:3404] 000007fef4c32940 Thread C:\Windows\system32\svchost.exe [1856:3856] 000007fef3d12888 Thread C:\Windows\system32\svchost.exe [1856:7464] 000007fef3d12a40 Thread C:\Windows\SysWOW64\svchost.exe [2100:1116] 0000000073df17a4 Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:2252] 0000000076567587 Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:3324] 0000000071f8345e Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:3328] 0000000071f8345e Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:3332] 0000000071f8345e Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:3336] 0000000071f8345e Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:3340] 0000000071f8345e Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:3808] 0000000071f8345e Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:3684] 0000000071f8345e Thread C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [3044:1956] 000000006dc71854 Thread C:\Windows\system32\Dwm.exe [1016:3548] 000007fef36dabf0 Thread C:\Windows\System32\svchost.exe [5252:6564] 000007feef6397fc Thread C:\Windows\System32\svchost.exe [5252:6568] 000007feef646a04 Thread C:\Windows\System32\svchost.exe [5252:6772] 000007feef63df84 Thread C:\Windows\System32\svchost.exe [5252:6776] 000007feef63bc88 Thread C:\Windows\System32\svchost.exe [5252:6164] 000007fee85f9688 Thread C:\Windows\System32\svchost.exe [5768:6056] 000007fef4495170 Thread C:\Windows\System32\svchost.exe [5768:7484] 000007fef8a29874 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----